JP5390648B2 - Information management system, IC card, and information management method - Google Patents

Description

  The present invention uses, for example, a portable information terminal device such as a mobile phone having a communication function for downloading data such as content from an external server, and data stored by the electronic device in another electronic device. Information management system and information management method.

  Conventionally, in many countries overseas including Europe, a GSM (Global System for Mobile Communications) system exists as a mobile phone system system. In the GSM system, it is essential to install a SIM (Subscriber Identity Module) card, which is a kind of IC card, in a mobile phone. In Japan, there is a PDC (Personal Digital Cellular) mobile phone system that does not require a SIM card. In recent years, mobile phone systems that adopt 3GPP (3rd Generation Partnership Project) standards have become widespread in regions such as Europe, including Japan. According to the 3GPP standard, it is indispensable to attach an IC card called a USIM (Universal Density Module) card to a mobile phone like a SIM card.

  The SIM card or USIM card used in the GSM or 3GPP is an IC card mounted on a mobile phone. The SIM card or USIM card stores key information, encryption algorithms, various network parameters, and the like necessary for connecting to the communication network of the communication carrier. In such a mobile phone, information stored in the SIM card or the USIM card is transmitted to an OTA (Over The Air) server or an authentication server of a communication carrier and authenticated with these servers. A mobile phone that has been successfully authenticated with the server can receive the communication service of the carrier.

  In the 3GPP standard mobile phone, data such as contents downloaded via a wireless communication network can be stored in the internal memory of the mobile phone or a memory card attached to the mobile phone. The 3GPP standard mobile phone system enables high-speed and large-capacity data communication. For this reason, in recent years, various content businesses for mobile phones have appeared. For example, content businesses that distribute content data such as music data, video data, or electronic books to mobile phones have emerged. In such a content business, security protection such as copyright protection is important so that the content data to be distributed cannot be easily copied.

  Conventionally, the content data as described above is generally protected by a method of setting security such as access right or encryption for the data itself. However, the access right or encryption applied to the data itself may be overlooked by performing various analyzes over time. For this reason, a technique capable of highly protecting content data is required.

JP 2004-133848 A

An object of one aspect of the present invention is to provide an information management system, an IC card , and an information management method capable of improving the security of data distributed via a network.

An information management system according to one aspect of the present invention is a system having an IC card that can be attached to a portable information terminal having a network communication function and an information terminal device, and the IC card can communicate via the portable information terminal. Receiving means for receiving security information for the service from an external device of a service provider in a secure network, a tamper-resistant memory for storing security information for the service received by the receiving means, the network and the portable information Confirmation for confirming access right to the service based on the security information stored in the tamper-resistant memory in response to a request for confirmation of access right to the service received from the information terminal device via the terminal Means and this confirmation means And transmitting means for transmitting to the information terminal device information for decrypting the data body for using the service when it is confirmed that the access right is valid, and the information terminal device Is based on the access information read from the storage medium storing the encrypted data body for using the service and the access information for specifying the IC card on the network. Confirmation request means for requesting confirmation of the access right to the service, and when information for decrypting the data body is received from the IC card in response to the confirmation request by the confirmation request means, the information is stored in the storage medium. Reading means for decoding and reading out the data body.

According to one aspect of the present invention, it is possible to provide an information management system, an IC card, and an information management method capable of improving the security of data distributed via a network.

The figure which shows the outline | summary of the structural example of the communication system which concerns on embodiment of this invention. The block diagram which shows the structural example of a mobile telephone. It is a figure for demonstrating schematically the utilization method of the service which a content server provides. The figure which shows the structural example of security information. The figure which shows the structural example of access information. It is a figure which shows the structural example of service AP and control AP. The figure for demonstrating the process sequence in the case of using the service which a content server provides with a mobile telephone. The figure which shows schematically the procedure of utilizing the content data downloaded with the mobile telephone with a personal computer. The figure for demonstrating the process sequence for utilizing the data AP stored in the 2nd IC card with a personal computer.

The best mode for carrying out the present invention will be described below with reference to the drawings.
FIG. 1 is a diagram showing an outline of a configuration example of a communication system according to an embodiment of the present invention.
As shown in FIG. 1, in the communication system, a mobile phone 11 as a communication terminal device with the first IC card C1 and a communication carrier system (communication network) 20 communicate with each other.

  A first IC card C1 is attached to the mobile phone 11. The mobile phone 11 performs communication (voice call, data communication, etc.) with a communication carrier system (communication network) with the first IC card C1 attached. That is, the mobile phone 11 can be used as a mobile phone with the first IC card C1 attached.

  The first IC card C1 includes a control element (LSI or the like), various memories (working memory, program memory, rewritable nonvolatile memory, etc.), an interface, and the like. For example, the first IC card C1 is an IC card for the mobile phone 11 called USIM or SIM, for example. In the first IC card C1, the control element implements various functions by executing various control programs stored in the program memory or the nonvolatile memory using the working memory.

  For example, the first IC card C1 has a mutual authentication function with the mobile phone (terminal device) 11, a mutual authentication function with the communication carrier system 20, or a mutual authentication function with various modules in the mobile phone 11. have. The first IC card C1 executes various authentication processes using authentication data by executing an authentication program. For example, the first IC card C1 stores authentication data for performing communication with the communication carrier system 20. Thereby, when the mutual authentication with the telecommunications carrier system 20 is successful, the mobile phone 11 to which the first IC card C1 is attached is a service provided by the telecommunications carrier (call, data communication, etc.) ) Is now available.

  The first IC card C1 has a non-volatile memory Ca1 partly or entirely having tamper resistance. In the first IC card C1, authentication data, user personal information, an authentication control program, and the like are stored in a tamper-resistant memory Ca1 in a nonvolatile memory. Further, the tamper-resistant memory Ca1 in the nonvolatile memory of the first IC card C1 stores a control application for using data downloaded from the outside, security information (described later), and the like. ing.

  The mobile phone 11 has an interface to which the second IC card C2 or the memory card M can be attached and detached. The second IC card C2 or the memory card M functions as a storage medium for storing data in a state in which the second IC card C2 or the memory card M is mounted on the mobile phone 11. For example, in the example shown in FIG. 1, the second IC card C2 has a control element, a working memory, a program memory, a rewritable nonvolatile memory Ca2, an interface, and the like. The non-volatile memory Ca2 of the second IC card C2 can store data downloaded from the outside by the cellular phone 11 via the communication carrier system 20.

  The telecommunications carrier system 20 includes a communication facility 21, an OTA (Over The Air) server 22, and the like. The communication facility 21 is a facility for performing communication with the mobile phone 11. The OTA server 22 is a server device for controlling communication with the mobile phone 11 via the communication facility 21.

The OTA server 22 also functions as an authentication server that performs authentication with the mobile phone 11 (an IC card attached to the mobile phone). The OTA server 22 includes a control unit for controlling the entire apparatus, a communication interface 21 for communicating with the communication facility 21 or each server, a storage unit for storing data, and the like. The OTA server 22 also functions as a management server that manages the mobile phone 11 or data (authentication data) related to the IC card C attached to the mobile phone 11. The authentication server and the management server may be provided separately from the OTA server. Further, a content provider server (hereinafter referred to as a content server) 23 as an external server is connected to the communication carrier system 20. ing. A data server 24 is connected to the content server 23. The content server 23 stores content data (for example, image data, moving image data, electronic book data, or an application for using various services) stored in the data server 24 via the communication carrier system 20. The server device is provided to the mobile phone 11 of each user. The content server 23 has a control unit for controlling the entire apparatus, a communication interface for communicating with the OTA server 22, a storage unit for storing data for user management, and the like. The data server 24 includes a storage unit for storing data such as content data.

Next, the configuration of the mobile phone 11 will be described.
FIG. 2 is a block diagram illustrating a configuration example of the mobile phone 11.
As shown in FIG. 2, the mobile phone 11 includes a control unit 31, a RAM 32, a ROM 33, a nonvolatile memory 34, a first IC card interface (also referred to as a first interface) 35, a second IC card or a memory device. Interface 36 (also referred to as a second interface), an antenna 37, a communication unit 38, an audio unit 39, a vibration unit 40, a display unit 41, an operation unit 42, a power supply unit 43, and the like.

  The control unit 31 controls the entire mobile phone 11. The control unit 31 includes a CPU, an internal memory, various interfaces, and the like. The control unit 31 has, as its basic functions, a display control function for controlling the display of the display unit 41, a PLL (Phase Locked Loop) circuit, a data stream path switching, a DMA (Direct Memory Access) controller, an interrupt controller, It has functions such as timer, UART (Universal Asynchronous Receiver Transmitter), secrecy, HDLC (High-level Data Link Control procedure) framing, device controller, and the like.

  The RAM 32 is a volatile memory for storing work data. The ROM 33 is a non-volatile memory that stores control programs, control data, and the like. The ROM 33 is a nonvolatile memory. For example, the ROM 33 stores a control program and control data for performing basic control of the mobile phone 11 in advance. That is, the control unit 31 realizes basic control of the mobile phone 11 by executing a control program stored in the ROM 33.

  The nonvolatile memory 34 is a rewritable nonvolatile memory that stores various data. The nonvolatile memory 34 stores various application programs (applications), control data, user data, and the like. For example, the control unit 31 realizes various functions by executing application programs stored in the nonvolatile memory 34.

  The first interface 35 is an interface to which the first IC card C1 is attached. The first interface 35 is connected to the control unit 31. Thus, the control unit 31 can perform data communication with the IC card C1 via the first interface 35. The first IC card C1 connected to the first interface 35 can communicate with the outside through an antenna provided in the mobile phone 11.

  The second interface 36 is an interface to which the second IC card C2 or the memory card M can be attached and detached. The second interface 36 is connected to the control unit 31. Accordingly, the control unit 31 can access (write or read data) the second IC card C2 or the memory card M mounted on the second interface 36. The second IC card C2 connected to the second interface 36 can also communicate with the outside via an antenna provided in the mobile phone 11.

  A communication antenna 37 is connected to the communication unit 38. The communication unit 38 transmits and receives call data or data for data communication via the antenna 37 by radio waves. The audio unit 39 has an analog front end unit and an audio unit, and inputs and outputs audio. The audio unit 39 is connected to a speaker, a receiver, a microphone, and the like (not shown). The vibration unit 40 is configured by a vibration mechanism that vibrates the entire mobile phone 11. The display unit 41 is configured by, for example, a liquid crystal display device. The display unit 41 is configured to control display on / off, display contents, and the like by the control unit 31. When the mobile phone 11 has a shell shape or the like, the display unit 41 includes a main display unit that appears when the housing is opened and a sub display unit provided on the back of the housing. You may make it. The operation unit 42 is configured by a keyboard or the like, and an operation instruction from the user is input.

  The power supply unit 43 is configured by a battery or the like, and supplies power to each unit in the mobile phone 11. The power supply unit 43 also supplies power to the first IC card C1 connected via the first interface 35 and the second IC card C2 or memory card M connected via the second interface 36. It also has a function of supplying

Next, a system that uses the service provided by the content server 23 on the mobile phone 11 will be schematically described.
FIG. 3 is a diagram for schematically explaining a method of using a service provided by the content server 23 (a method of downloading content data and executing the downloaded content data).
In the example shown in FIG. 3, the mobile phone 11 has a first IC card C1 used as a USIM attached to the first interface 35, and a second interface 36 that is different from the first IC card C1. It is assumed that the IC card C2 is attached. In addition, a service application (service AP) 51 for using a service provided by the content server 23 (for example, distribution of content data) is stored in advance in a memory (for example, the non-volatile memory 34) in the mobile phone 11. It is assumed that The first IC card C1 has a tamper resistant memory Ca1. Security information (key data, certificates, etc.) can be securely stored in the tamper resistant memory Ca1.

First, a procedure for downloading content data will be schematically described.
A user who wants to use the service provided by the content server 23 activates the service AP 51 by operating the operation unit 42 of the mobile phone 11. When the service AP 51 is activated, the user selects a service to be used by the operation unit 42 of the mobile phone 11 (requests download of desired content). Then, the cellular phone 11 requests the content server 23 to use the service selected by the user by the service AP 51. In response to such a request, the content server 23 provides service data (content data) selected by the user from the data server 24 to the mobile phone 11.

  Here, it is assumed that the content data includes a control application (control AP) 61 (61a, 61b,...) And a data application (data AP) 71 (71a, 71b,...). The data AP 71 is a main body of content data and can be used by the corresponding control AP 61. That is, the service (content) provided by the content server 23 is provided by executing the data AP 71 by the control AP 61.

  The control AP 61 and the data AP 71 are stored in separate storage devices in the mobile phone 11. In the example shown in FIG. 3, the control AP 61 is stored in the first IC card C1, and the data AP 71 is stored in the second IC card C2. As shown in FIG. 3, each control AP 61 stores security information (access right information) 72 for confirming the access right to the corresponding data AP 71 in association with each other. Each data AP 71 stores access information 72 for accessing the corresponding security information 62 in association with each other.

The control AP 61 and the security information 62 are stored in a secure area such as a tamper-resistant memory in the mobile phone 11. Here, as shown in FIG. 3, it is assumed that the data is stored in the tamper-resistant memory Ca1 in the first IC card C1 attached to the mobile phone 11.
The data AP 71 and the access information 72 are stored in a memory accessible by the mobile phone 11. For example, the data AP 71 and the access information 72 are stored in the second IC card C 2 that can be attached to and detached from the mobile phone 11, the memory card M that can be attached to and detached from the mobile phone 11, or the nonvolatile memory in the mobile phone 11. 34 can be stored. However, in any case, the data AP 71 is stored in an encrypted state so that it cannot be decrypted without using the control AP 61 and the security information 62. Here, as shown in FIG. 3, it is assumed that the data is stored in the memory Ca2 in the second IC card C2 attached to the mobile phone 11.

  When a request for using a specific service (content data download request) is received from the mobile phone 11, the content server 23 controls the first IC card C1 attached to the mobile phone 11 with respect to the control AP 61. And the security information 62 are downloaded, and the data AP 71 and the access information 72 are downloaded to the second IC card C2 attached to the mobile phone 11. The content server 23 manages security information 62 downloaded to at least the first IC card C1.

  That is, the control unit (not shown) of the first IC card C1 associates the control AP 61 downloaded from the content server 23 via the mobile phone 11 with the security information 62, and the tamper resistant memory Ca1. To remember. The control unit (not shown) of the second IC card C2 stores the data AP 71 downloaded from the content server 23 via the mobile phone 11 and the access information 72 in association with each other in the memory Ca2. Here, it is assumed that the data AP 71 is encrypted and stored in the second IC card C2 in a state that can be decrypted by the control AP 61 and the security information 62.

  The security information 62a is security information for making the data AP 71a available. For example, the security information 62a is identification information for specifying the data AP 71a, information indicating an expiration date, usage conditions, access conditions, and the like. Based on the security information 62a, the control AP 61a uses the data AP 71a. The access information 72a is information indicating information to be referred to in order to use the data AP 71a. For example, the access information 72a is information indicating a reference destination, access time, number of uses, authentication information, and the like. Here, it is assumed that the access information 72a includes at least information indicating a location where the control AP 61a and the security information 62a corresponding to the data AP 71a are stored.

  That is, each data AP 71 can be used by the security information 62 and the control AP 61 specified by the corresponding access information 72. For example, when the data AP 71a is stored in an encrypted state, the data AP 71a is decrypted based on the security information 62a by the function of the control AP 61a corresponding to the data AP 71a.

  Through the processing procedure as described above, the cellular phone 11 performs a process of downloading data for a service provided by the content server 23. That is, according to the processing procedure as described above, the control AP 61a and the security information 62a for executing a desired service are stored in the first IC card C1 attached to the mobile phone 11, The second IC card C2 attached to the mobile phone 11 stores data AP 71a as a data body of a desired service and access information 72a for accessing the corresponding security information 62a.

Next, a method for using the data downloaded in the above procedure will be schematically described.
Data AP (content main data) 71 stored in the second IC card C2 by the processing procedure as described above can be used in the mobile phone 11 in accordance with a user operation.
When using a service based on downloaded data (for example, when using data AP 71a), the control unit 31 of the mobile phone 11 activates the service AP 51 in accordance with an operation by the user. In a state where the service AP 51 is activated, the control unit 31 of the mobile phone 11 transmits an access command requesting access to the desired data AP 71a to the second IC card C2 by the function of the service AP 51.

  The second IC card C2 that has received the access command from the service AP 51 executed by the control unit 31 of the cellular phone 11 uses the access information 72a associated with the data AP 71a as response data for the access command. Reply to AP51. That is, in response to the access command, the second IC card C2 returns information that can identify the first IC card C1, the control AP 61a, and the security information 62a to the service AP 51 as a response.

The service AP 51 that has received the access information 72a from the second IC card C2 transmits an access right confirmation command to the first IC card C1 specified by the access information 72a.
The first IC card C1 that has received the access right confirmation command from the service AP 51 confirms the access right based on the security information 62a by the control AP 61a associated with the data AP 71a. When it is confirmed that the user has the access right, the first IC card C1 returns information for decrypting the data AP 71a to the service AP 51 as response data to the access right confirmation command. That is, when the access right can be confirmed, the first IC card C1 responds to the access right confirmation command with data (for example, a decryption key) necessary for using the data AP 71a as a response. Return to AP51.

The service AP 51 that has received the response as described above from the first IC card C1 sends a read command requesting the second IC card C2 to read the data AP 71a. The second IC card C2 that has received the read command reads the data AP 71a and returns the read data to the service AP 51. The second IC card C2 supplies the data AP 71a to the service AP 51 in an encrypted state as a response to the read command requesting the data read.
When receiving the encrypted data AP 71a from the second IC card C2, the service AP 51 receives the data of the received data AP 71a from the information for decryption received from the first IC card C1. Decrypt. As a result, the service AP 51 can use the service desired by the user.

Next, the security information 62 will be described.
FIG. 4 is a diagram illustrating a configuration example of the security information 62.
In the example illustrated in FIG. 4, the security information 62 includes information such as a reference source, an expiration date, the number of uses, an access condition, and an RFU.
The reference source information is information for specifying access information referring to the security information. For example, the reference source information includes identification information (ICCID) of the second IC card C2 storing the data AP and access information, an IP address, or application identification information (AID). Based on this reference source information, access information referring to the security information is determined.

  The expiration date information is information indicating the expiration date of the service (data AP) associated with the security information. This expiration date information defines the expiration date of the service to which the security information corresponds. For a service (data AP) for which a temporary useable period is set, a temporary use time limit may also be stored as information on the effective time limit. For example, for a service that can be temporarily used only for a specific period, it is possible to set a temporary use date in addition to the true expiration date as information on the expiration date.

  The usage count information is information indicating the usage count of the service (data AP) corresponding to the security information. Further, the number of times of use may be stored as the information on the number of times of use. For example, for a service with a limit on the number of times it can be used, the number of times of use is counted up each time the service is used until the number of times of use is exceeded. Moreover, when the number of times of use is exceeded, the operation of prohibiting the use of the service becomes possible.

The access condition information is information indicating a condition for using a service corresponding to the security information 62 (a condition for accessing the data AP 71). For example, the access condition information includes information on a PIN (personal identification number), information on an authentication method, information on encryption, or information on a condition for determining whether access is possible. In the information on the PIN, what PIN is used as the authentication information is defined. In the information on the authentication method, an authentication processing procedure, authentication information, necessity of authentication for a terminal device (mobile phone), and the like are defined. In the information related to encryption, key information for encryption (decryption), an encryption method (encryption process), and the like are defined. In the information on conditions, it is specified which condition among various conditions is permitted to access (AND and OR conditions for various conditions).
The RFU is a data area reserved for storing information other than the above and for future expansion.

  The security information 62 as described above is downloaded from the content server 23 to the first IC card C1 as described above. This indicates that the content server 23 can manage the security information 62 downloaded to the first IC card C1. That is, the content server 23 controls the expiration date, the number of times of use, the access conditions, etc. for the use of the service (reading of the data AP 71) by the security information 62 downloaded to the first IC card C1. Is possible.

  Next, the access information 72 will be described.

FIG. 5 is a diagram illustrating a configuration example of the access information 72.
In the example illustrated in FIG. 5, the access information 72 includes information such as a reference destination, usage time, usage count, data summary, and RFU.
The reference destination information is information indicating security information to be referred to in order to access the service (content data). For example, when security information is stored in the first IC card C1, the reference information specifies the IC card identification information (ICCID) or IP address for identifying the first IC card C1, and the service. Application identification information (AID) and the like are included. The security information for the service is specified by the information of the reference destination. However, this reference destination information includes only information for searching for security information, and does not include information for specifying or estimating specific contents of the security information.

  The usage time information is information indicating the date and time when the service is accessed. For example, as the usage time information, the time at that time is stored every time the service (corresponding data AP 71) is accessed. As the usage time information, past access times may be stored as log data by accumulating access times for the service. Based on the usage time information, it is possible to determine whether access is possible based on the usage time.

The usage count information is information indicating the usage count of the service (data AP) corresponding to the access information. That is, as the information on the number of uses, the number of uses is counted up every time the service is used.
The data summary information is stored regarding the summary of data for using the service (data for accessing the data AP). However, the information on the data summary does not include specific information on security. That is, the data summary includes information such as whether the PIN is input, whether authentication is required, or whether the data AP is encrypted.
The RFU is a data area reserved for storing information other than the above and for future expansion.

  As described above, the access information 72 does not include specific information related to security for the service (information such as PIN information, authentication method, encryption method, key information for encryption / decryption). It is like that. This is to prevent the security of the service from being broken from the access information 72 itself even when the access information 72 is leaked. In other words, even if the access information 72 is stored in a storage means such as the memory card M or the non-volatile memory in the mobile phone 11, the security for the service does not deteriorate.

Next, the function of the control AP 61 will be described.
FIG. 6 is a diagram illustrating a configuration example of the service AP 51 and the control AP 61. Hereinafter, the function of the control AP 61 will be described with reference to FIG.
As shown in FIG. 6, the control AP 61 in the first IC card C1 operates in conjunction with the service AP 51 in the mobile phone 11 body. The control AP 61 controls the use of the service (storage of access right to the data AP 71, etc.) while referring to the security information 62.

  In the example illustrated in FIG. 6, the control AP 61 includes a security information processing unit 81, a decryption key 82, a decryption logic 83, and a certificate 84. The security information processing unit 81 performs processing according to the security information 62 as described above. For example, the security information processing unit 81 performs processing for determining the validity of the access right based on the security information 62. The decryption key 82 is key information for decrypting the data AP 71. The decryption logic is information indicating a decryption method for decrypting the data AP 71. The certificate 84 is information indicating that the service or the control AP 61 is legitimately downloaded.

  Note that the configurations of the control AP 61 and the service AP 51 are not limited to the configurations shown in FIG. For example, the service AP 51 may have the decryption key 82 or the decryption logic 83. That is, the configurations of the control AP 61 and the service AP 51 may be appropriately determined according to the performance of the first IC card C1 or the security performance required for each service.

Next, a processing procedure when the mobile phone 11 uses a service provided by the content server 23 will be described.
FIG. 7 is a diagram for explaining a processing procedure when the mobile phone 11 uses a service provided by the content server 23.
In the example shown in FIG. 7, as in the example of FIG. 3, the control AP and security information are downloaded to the first IC card C1, and the data AP and access information are downloaded to the second IC card C2. And In FIG. 7, a main application (main AP) and a service application (service AP) 51 are applications executed by the control unit 31 of the mobile phone 11 main body. That is, in the description to be described later, the main subject of operation by the main AP and the service AP is the control unit 31 of the mobile phone 11 main body.

  First, the user selects a service to be used from among the services provided by the content server 23 by operating the operation unit 42 of the mobile phone 11. Then, the main AP executed by the control unit 31 of the mobile phone 11 activates the service AP 51 for executing the service designated by the user. When the service AP 51 is activated, the main AP transmits an initial setting request for the service selected by the user to the service AP 51 (step S11). Upon receiving the initial setting request, the service AP 51 performs a download process of the service in order to execute the specified service. That is, the service AP 51 notifies a download request for the service designated by the initial setting request to the content server 23 that is a provider of the service (step S12).

  In response to the download request for the service, the content server 23 downloads the control AP 61 and security information 62 of the service to the first IC card C1 attached to the mobile phone 11 (step S13). Here, the mobile phone 11 can use network communication or the like in a state where mutual authentication with the first IC card C1 is successful. For this reason, in the download request, information indicating the first IC card C1 that is the download destination of the control AP 61 and the security information 62 is specified. As a result, the content server 23 can download the control AP 61 and the security information 62 to the first IC card C1 attached to the mobile phone 11. That is, only data downloaded from the content server 23 to the first IC card C1 passes through the main body of the mobile phone 11, and the first IC card C1 attached to the mobile phone 11 contains Data from the content server 23 is downloaded directly.

  In the first IC card C1 attached to the cellular phone 11, the control AP 61 and security information 62 downloaded from the content server 23 are stored in the tamper-resistant memory Ca1. When the control AP 61 and the security information 62 are normally stored in the tamper-resistant memory Ca1, the first IC card C1 transmits a notification indicating the normal end of the download to the content server 23 that is the download source. (Step S14).

  When the content server 23, which is the download source, receives a notification indicating the normal termination of the download from the first IC card C1, the data AP 71 is sent to the second IC card C2 attached to the mobile phone 11. And the process which downloads the access information 72 in the encrypted state is started (step S15). At this time, the data AP 71 and the access information 72 are downloaded in an encrypted state so that they can be decrypted based on the security information downloaded to the first IC card C1.

  Here, it is assumed that the information indicating the second IC card C2 as the download destination of the data AP 71 and the access information 72 is specified by the download request in step S12. Note that the information indicating the second IC card C2 may be specified together with the notification indicating the normal end of download in step S14. The download destination of the data AP 71 and the access information 72 from the content server 23 may be the main body of the mobile phone 11. In this case, the cellular phone 11 main body temporarily receives the data AP 71 and the access information 72 downloaded from the content server 23, and writes the received data AP 71 and the access information 72 in a storage destination such as the second IC card C2. Anyway.

  In the second IC card C2 attached to the cellular phone 11, the data AP 71 and the access information 72 downloaded from the content server 23 are stored in the internal memory Ca2. When the data AP 71 and the access information 72 are normally stored in the memory Ca2, the second IC card C2 transmits a notification indicating the normal termination of the download to the content server 23 that is the download source (step S16). .

  When the content server 23, which is the download source, receives a notification indicating the normal end of the download from the second IC card C2, the content server 23 confirms that the initial setting has been normally completed for the service AP 51 of the mobile phone 11 main body. An initial setting normal end notification is transmitted (step S17). When the service AP 51 of the mobile phone body receives a notification indicating the normal end of the initial setting from the content server 23, the download (initial setting) of the service is completed.

  As a result of the processing in steps S11 to S17, the various data for using the service provided by the content server 23 are the first IC card C1 and the second IC card mounted on the mobile phone 11. Downloaded to C2. That is, according to the processing in steps S11 to S17, the control AP 61 and the security information 62 for executing a desired service are downloaded to the first IC card C1 attached to the mobile phone 11. Then, data AP71 and access information 72 of the desired service are downloaded to the second IC card C2 attached to the mobile phone 11.

Next, processing when using a service using data downloaded in the above processing will be described.
The data AP (content main body) 71 downloaded to the second IC card C2 by the processing in steps S11 to S17 is the access condition defined by the security information 62 downloaded to the first IC card C1. If it satisfies, it can be used according to the user's operation.

  That is, when using a service based on downloaded data (when accessing the data AP 71a), in the main body of the mobile phone 11, the main AP sends data corresponding to the service to the service AP 51 in accordance with a user operation or the like. The AP 71a is specified and a request to read the data AP 71a is made (step S21). When receiving the data read request, the service AP 51 transmits an access command for requesting the access information 72a corresponding to the data AP 71a to the second IC card C2 to the second IC card C2 (step). S22). This access command includes information indicating the data AP 71a as an access target.

When receiving the access command from the service AP 51, the second IC card C2 reads the access information 72a associated with the data AP 71a designated by the access command, and reads the read access information 72a. The response data for the access command is returned to the service AP 51 (step S23).
When the access information 72a is received from the second IC card C2 as a response to the access command, the service AP 51 determines the storage destination of the security information 62a based on the received access information 72a (step S24). Here, the first IC card C1 is specified as the storage destination of the security information 62a by the reference destination information of the access information 72a.

  When it is determined from the access information 72a that the security information 62a is stored in the first IC card C1, the service AP 51 transmits the access information 72a together with an access right confirmation command to the first IC card C1. (Step S25).

  The first IC card C1 that has received the access right confirmation command from the service AP 51 confirms the access right based on the security information 62a by the control AP 61a associated with the access information 72a (step S26). In this access right confirmation process, for example, based on the security information, it is determined whether it is within the expiration date, within the available number of times, or whether the access condition is satisfied. When it is confirmed that the access right is valid, the control AP 61a determines that the service can be used (the access right to the data AP 71a is valid).

  If it is determined that the service can be used, the first IC card C1 uses the notification that the access right is valid as a response to the access right confirmation command and decrypts the data AP 71a. Information is transmitted to the service AP 51 (step S27). When it is determined that the service is unavailable (when it is determined that the access right to the data AP 71a is invalid), the first IC card C1 has an access right as a response to the access right confirmation command. A notification of invalidity is transmitted to the service AP 51.

  The service AP 51 interprets the response supplied from the first IC card C1, and sends to the second IC card C2 a read command requesting to read data for decrypting the data AP 71a (step S28). The second IC card C2 that has received the read command reads the data AP 71a and transmits the read data to the service AP 51 (step S29).

  When the service AP 51 receives the encrypted data from the second IC card C2, the service AP 51 receives the received data based on the decryption key, the decryption logic, etc. supplied from the first IC card C1. Decryption is performed (step S30). Thereby, when the data of the data AP 71a is decrypted, the service AP 51 can execute the service (step S31).

  In the above-described processing example, the data AP 71a whose access right has been confirmed is decrypted by the service AP 51 executed by the mobile phone 11 main body. However, the data AP 71a may be decrypted by the first IC card C1. This can be realized by the second IC card C2 transferring the read data AP71a to the first IC card C1 and transmitting the data AP71a decrypted by the first IC card C1 to the service AP51. . In this case, the operation as described above can be realized while the information on the decryption is held in the first IC card C1.

  As described above, in the mobile phone as the mobile information terminal device, the tamper resistance is provided in the first IC card C1 attached to the mobile phone with security information for a specific service downloaded from the content server. Data stored in a memory (first storage means) capable of securely storing data, such as a memory, and accessed for accessing a data body for using the service downloaded from the content server and security information for the service Information is stored in a storage medium (second storage means) such as the second IC card C2 or the memory card M mounted on the mobile phone, and the access information stored in the second storage means is used. Based on the security information stored in the specified first storage means It reads the data body Te.

  As a result, information related to security for data distributed via the network can be held by the first IC card C1 having the tamper-resistant memory Ca1 attached to the mobile phone 11, and distributed via the network. Data security can be improved.

The security information 62 for the service stored in the tamper resistant memory Ca1 of the first IC card C1 is stored in the second storage means (second IC card C2 or memory card M). A storage location is determined based on the access information 72. As a result, the mobile phone 11 confirms the access right to the service based on the security information 62 for which the storage location is determined. If it is confirmed that the access right is valid by this confirmation, the mobile phone 11 stores the access right in the second storage means. Read the stored data body.
As a result, information related to security for data distributed via the network can be held by the first IC card C1 having the tamper-resistant memory Ca1 attached to the mobile phone 11, and distributed via the network. Data security can be improved.

Further, the data body (data AP 71) for using the service stored in the second storage means (second IC card C2 or memory card M) is tamper-resistant of the first IC card C1. Based on the security information 62 stored in the memory Ca1, it is encrypted in a decryptable state. In this state, in the cellular phone 11, when the access right is confirmed to be valid by the confirmation of the access right as described above, the encrypted data body read out from the second storage means Is decrypted based on the security information 62.
Thereby, the information for decrypting the encrypted data can be held by the first IC card C1 having the tamper-resistant memory Ca1 attached to the mobile phone 11, and distributed via the network. Data security can be improved.

Next, a system (information management system) that uses data downloaded by the mobile phone (first electronic device) 11 in another electronic device (second electronic device) will be described.
FIG. 8 shows a procedure in which the mobile phone 11 uses the data (data AP 71 and access information 72) downloaded to the second IC card C2 or the memory card M in a personal computer (PC) 101 as another electronic device. It is a figure shown roughly.

  Here, it is assumed that data (data AP 71a and access information 72a) is downloaded to the second IC card C2 by the download process as described above. Further, as shown in FIG. 5, the access information 72a stored in the second IC card C2 includes at least information for identifying the first IC card C1 on the wide area network 102 (first It is assumed that information (such as AID) for specifying the service (application) and the service (application) are included. Further, it is assumed that a service AP 121 having a function equivalent to the service AP 51 installed in the main body of the mobile phone 11 is installed in the PC 101. Note that the PC 101 may appropriately download and install the service AP 121 from the content server 23 or the like when using the service.

  In the PC 101 to which the storage device (here, the second IC card C2) in which the data AP 71a and the access information 72a are stored is connected, the service AP 121 is activated in response to a user operation. Here, when the user requests to use the data AP 71a, the PC 101 that has activated the service AP 121 reads the access information 72a corresponding to the data AP 71a from the second IC card C2. When the access information 72a is read, the PC 101 analyzes the access information 72a and stores the control AP 61a corresponding to the data AP 71a and the security information 62a (here, mounted on the mobile phone 11). Information (IP address, ICCID, AID) specifying the position of the first IC card C1) is determined.

  When determining the information (IP address, ICCID, and AID) for specifying the positions of the control AP 61a and the security information 62a corresponding to the data AP 71a, the PC 101 determines that the wide area network (for example, the Internet) 102 The first IC card C1 is searched for above. In this case, it is assumed that the mobile phone 11 in which the first IC card C1 is attached is connected to the wide area network 102. Therefore, the PC 101 can search for the mobile phone 11 and the first IC card C1 via the wide area network 102 by the IP address and ICCID.

  When the first IC card C1 storing the control AP 61a and the security information 62a specified by the access information 72a is detected, the PC 101 accesses the first IC card C1 via the mobile phone 11. At this time, the PC 101 transmits the IP address of the PC 101 or the IP address of the second IC card C2 to the first IC card C1 attached to the mobile phone 11.

  When the access between the first IC card C1 and the PC 101 is established, the PC 101 requests the first IC card C1 to confirm the access right to the data AP 71a. In response to this confirmation request, the first IC card C1 confirms the validity of the access right to the data AP 71a based on the security information 62a via the control AP 61a. Thus, when it is confirmed that the access right to the data AP 71a is valid, the control AP 61a of the first IC card C1 transmits to the PC 101 that the access right is valid and information for decrypting the data AP 71a. To do. When the information for decrypting the data AP 71a is received, the PC 101 can decrypt the data AP 71a by the service AP 121 and use the service.

Next, details of a processing example when the data downloaded by the mobile phone 11 is used by the PC 101 will be described.
FIG. 9 is a diagram for explaining a processing procedure for using the data AP 71 a stored in the second IC card C <b> 2 by the PC 101.
In this case, the control AP 61a and the security information 62a are downloaded to the first IC card C1 attached to the mobile phone 11 by the processing in steps S11 to S17 shown in FIG. 7, and the second IC card. It is assumed that data AP 71a and access information 72a are downloaded to C2. However, even when the data AP 71a and the access information 72a are downloaded to the memory card M, the PC 101 can use the service (access to the data AP 71a) by the same processing procedure as described below. .

  First, the user removes the second IC card C2 in which the data AP 71a and the access information 72a are downloaded from the mobile phone 11, and connects the PC 101 to the PC 101. The user selects a service to be used from among the services provided by the content server 23 by operating an operation unit (not shown) of the PC 101. Then, the main application executed by the control unit (not shown) of the PC 101 activates the service AP 121 for executing the service designated by the user (step S101).

  When the service AP 121 is activated (step S102), the main AP of the PC 101 requests the service AP 121 to read data of the service specified by the user (here, the data AP 71a) (step S103). The service AP 121 of the PC 101 that has received such a request requests the access information 72a corresponding to the data AP 71a from the second IC card C2 storing the data AP 71a (step S104).

The second IC card C2 that has received the read request for the data AP 71a reads the access information 72a corresponding to the data AP 71a, and transmits the read access information 72a as response data to the service AP 121 (step S105).
When the access information 72a is received from the second IC card C2, the service AP 121 of the PC 101 determines the storage location of the control AP 61a and the security information 62a corresponding to the data AP 71a based on the received access information 72a ( Step S106). Here, based on the IP address of the mobile phone 11 and the first IC card C1 (for example, the combination of the IP address of the mobile phone 11 and the IP address of the IC card C1) included in the access information 72a, the wide area network 102 The first IC card C1 is specified as the storage location of the control AP 61a and security information 62a above.

  When the access information 72a determines the IP address of the first IC card C1 as the storage location of the control AP 61a and the security information 62a, the service AP 121 of the PC 101 searches the wide area network 102 for the first IC card C1. (Step S107). When the first IC card C1 is detected in the wide area network 102, the service AP 121 of the PC 101 together with a command requesting the first IC card C1 to confirm the access right via the wide area network 102. The access information 72a is transmitted (step S108).

  The first IC card C1, which has received the access right confirmation command from the service AP 121 via the wide area network 102, controls the data AP 71a based on the security information 62a by the control AP 61a associated with the access information 72a. The validity of the access right is confirmed (step S109). In this access right confirmation process, for example, based on the security information 62a, it is determined whether it is within the expiration date, within the available number of times, or whether the access condition is satisfied. When it is confirmed that the access right is valid, the control AP 61a of the first IC card C1 determines that the service can be used (the access right to the data AP 71a is present).

  When it is determined that the service can be used (when it is determined that the access right for the service is valid), the first IC card C1 has the access right as a response to the access right confirmation command. Along with the notification to the effect, information for decrypting the data AP 71a is transmitted to the service AP 121 of the PC 101 via the wide area network 102 (step S110). If it is determined that the service cannot be used, the first IC card C1 transmits a notification that the access right is invalid to the service AP 121 of the PC 101 as a response to the access right confirmation command. .

  When the notification that the access right is valid is received from the first IC card C1, the service AP 121 of the PC 101 requests the reading of the data AP 71a stored in the second IC card C2. (Step S111). The second IC card C2 that has received the read command reads the data AP 71a and transmits the read data to the service AP 121 (step S112).

  When the service AP 121 of the PC 101 receives the encrypted data from the second IC card C2, the service AP 121 decrypts the received data from the first IC card C1, such as the decryption key and the decryption logic. Decoding is performed based on the information for conversion (step S112). Thereby, when the data of the data AP 71a is decrypted, the PC 101 can use the service by the decrypted data (data AP 71a) (step S112).

  As described above, the mobile phone 11 downloads the control AP 61 and security information 62 for the specific service provided by the content server 23 to the first IC card C1, and downloads the service downloaded from the content server 23. Data AP 71 for use and access information 72 for accessing the security information 62 are stored in the second IC card C2. In such a case, the data AP 71 stored in the second IC card C2 is stored on the personal computer 101 by removing the second IC card C2 from the mobile phone 11 and connecting it to the personal computer 101. Be available.

  That is, the security information 62 corresponding to the service provided from the content server 23 is stored in the tamper resistant memory Ca1 of the first IC card C1 attached to the mobile phone 11, and the service is used. The security information specified by the access information 72 stored in the second IC card C2 when the second IC card in which the data AP and the access information 72 are stored is connected to the personal computer 101 The first IC card storing 62 is requested to confirm the access right for the service to C1, and the first IC card C1 is requested to confirm the access right for the service from the personal computer 101. On the other hand, the tamper resistant memo of the first IC card C1 The access right to the service is confirmed based on the security information 62 stored in Ca1, information corresponding to the confirmation result is transmitted to the personal computer 101, and the service for the service from the first IC card C1 is transmitted. The personal computer 101 that has been notified that the access right is valid reads the data AP 71 for using the service stored in the second IC card C2.

  As a result, the content data downloaded by the mobile phone 11 can also be used by the personal computer 101. Further, since the security information 62 remains stored in the tamper-resistant memory Ca1 in the first IC card C1 attached to the mobile phone 11, even when the personal computer 101 uses content. It is possible to maintain a high level of security.

  C1 ... first IC card, Ca1 ... memory, C2 ... second IC card, Ca2 ... memory, M ... memory card, 11 ... mobile phone, 20 ... communication carrier system, 21 ... communication equipment, 22 ... OTA server , 23 ... Content server, 24 ... Data server, 31 ... Control unit, 32 ... RAM, 33 ... ROM, 34 ... Non-volatile memory, 35 ... Interface, 36 ... Interface, 37 ... Antenna, 38 ... Communication unit, 41 ... Display , 42 ... operation unit, 51 ... service application (service AP), 61 (61a, 61b, ...) ... control application (control AP), 62 (62a, 62b, ...) ... security information, 71 (71a, 71b, ...) ...) Data application (data AP), 72 (72a, 72b, ...) ... Access Distribution, 101 ... personal computer (PC), 102 ... wide area network 121 ... serving AP

Claims (4)

In an information management system having an IC card and an information terminal device that can be attached to a portable information terminal having a network communication function,
The IC card is
Receiving means for receiving security information for the service from an external device of a service provider in a network communicable via the portable information terminal ;
A tamper resistant memory for storing security information for the service received by the receiving means;
In response to the access right confirmation request for the service received from the information terminal device via the network and the portable information terminal, the service is based on the security information stored in the tamper-resistant memory. A confirmation means for confirming the access right;
When it is confirmed that the access right is valid by the confirmation unit, the transmission unit transmits information for decrypting the data body for using the service to the information terminal device,
The information terminal device
Based on the access information read from the storage medium storing the encrypted data body for using the service and the access information for specifying the IC card on the network, Confirmation request means for requesting confirmation of access right;
Read means for decrypting and reading out the data body stored in the storage medium when receiving information for decrypting the data body from the IC card in response to the confirmation request by the confirmation request means; Have
An information management system characterized by that. The storage medium is a storage medium connectable to both the portable information terminal and the information terminal device, and an encrypted data body and access information for using the service stored in the storage medium, Is data downloaded from an external device in association with the security information stored in the tamper-resistant memory of the IC card by the portable information terminal ,
The information management system according to claim 1, wherein: In an IC card that can be attached to a portable information terminal ,
Receiving means for receiving security information for the service from an external device of a service provider in a network communicable via the portable information terminal ;
A tamper resistant memory for storing security information for the service received by the receiving means;
Access to the service based on the security information stored in the tamper-resistant memory in response to an access right confirmation request for the service received from the information terminal device via the network and the portable information terminal A confirmation means to confirm the rights,
When the confirmation means confirms that the access right is valid, transmission means for transmitting information for decrypting the data body for using the service to the information terminal device;
IC card having An information management method used for an information management system having an IC card and an information terminal device that can be attached to a portable information terminal having a network communication function,
The IC card is
Receiving security information for the service from an external device of a service provider in a network capable of communication via the portable information terminal ;
Storing security information for the received service in a tamper-resistant memory;
In response to the access right confirmation request for the service received from the information terminal device via the network and the portable information terminal, the service is based on the security information stored in the tamper-resistant memory. Check access rights,
When it is confirmed by this confirmation that the access right is valid, information for decrypting the data body for using the service is transmitted to the information terminal device,
The information terminal device
Based on the access information read from the storage medium storing the encrypted data body for using the service and the access information for specifying the IC card on the network, Request access verification,
When the information for decrypting the data body is received from the IC card in response to the confirmation request, the data body stored in the storage medium is decrypted and read.
Information management method.

Images