JP5903945B2 - IC card and computer program - Google Patents

Description

  The present invention relates to an IC card that stores a program code in an electrically rewritable nonvolatile memory, and more particularly, to a technique for verifying the validity of a program code stored in the nonvolatile memory.

  In conventional electronic devices, the program code necessary for operating the CPU is stored in an electrically non-rewritable mask ROM suitable for mass production, and individual data for each user and data updated during operation are stored. Although it was stored in an electrically rewritable non-volatile memory (hereinafter abbreviated as “NVM”; NVM: Non-Volatile Memory), the development of the mask ROM requires about 2 to 6 months. From the viewpoint of shortening the period, there is a movement to store the program code in the NVM instead of the mask ROM.

  In recent years, the writing speed to NVM such as EEPROM and flash memory has been dramatically improved, and even if the program code is stored in NVM, it is not at a level that hinders manufacturing efficiency in mass production. Unlike a mask ROM that expresses information by controlling current according to the NVM, the NVM uses a floating gate method. Therefore, the reliability of the information represented by the NVM is lower than that of the mask ROM, particularly security-related processing such as encryption and authentication. In the field of IC cards that implement the above, it is necessary to verify the validity of the program code stored in the NVM.

  In the IC card field, as an invention for verifying the correctness of the program code stored in the NVM, for example, in Patent Document 1, the IC card verifies the correctness of the program code before sending the initial response message to the reset process. However, an invention is disclosed in which no response is made when an abnormality is confirmed. Since the reset process is generally executed at the beginning when the IC card is used, it is effective to check the validity of the program code before executing a series of processes.

  However, device-embedded IC cards such as mobile phone SIM cards (Subscriber Identity Module Cards) and SAM cards (Secure Access Module Cards) for automated teller machines remain in the devices. Therefore, if the validity of the program code is verified every time the reset process is performed, the frequency of verifying the validity of the program code is extremely reduced. This makes it difficult to prevent malfunctions.

  Even in the case of operation forms where the frequency of reset processing is low, as a method to continue verifying the validity of the program code, the validity of the program code when a specific command such as authentication, encryption, or decryption is received. Although a method for verifying the reliability is considered, the memory capacity of the NVM has become larger than before due to advances in semiconductor manufacturing technology, and the size of the program code stored in the NVM is becoming larger. There is a problem in that it takes a long time and the convenience of the user is impaired during operation.

Japanese Patent No. 2577376

  Therefore, the present invention is mounted on an IC card and an IC card that can continuously verify the validity of the program code stored in the NVM without losing user convenience while the IC card is activated during operation. An object is to provide a computer program to be executed.

  A first invention for solving the above-described problem is an IC card having an electrically rewritable nonvolatile memory (hereinafter referred to as “NVM”), in addition to a program code area storing a program code, a program code area The reference EDC calculated from the program code in the block area obtained by dividing the program code area into a plurality of parts is stored in correspondence with the block area so that the validity of the program code stored in A region is provided in the NVM.

Further, as a means realized by a computer program, the IC card according to the first aspect of the invention is valid when receiving an instruction accompanied by validity verification from the outside when the operation mode of the IC card is set to the operation mode. After calculating the authentication EDC from the program code in the block area corresponding to the next block number indicating the block area to be verified, and searching the reference EDC corresponding to the block area from the reference EDC area, The calculated authentication EDC and the searched reference EDC are collated, and if the collation is successful, the block area to be verified is updated to the next block area, and then the next block number is updated. If the instruction is executed and verification fails, the verification of the program code fails without executing the instruction. And the process of writing to the NVM information indicating that, while the IC card is activated, and a validity verification means for performing switches the block area to be validity verification cyclically.

  Further, the second invention is the IC card described in the first invention, wherein the IC card is not used after the verification of the validity of the program code stored in the program code area has failed. When receiving the instruction from the outside, the sex verification means checks whether information indicating that the verification of the validity of the program code has failed is written in the NVM before executing the instruction, and the information is stored in the NVM. If written, the process is stopped.

Further, the third invention is the IC card according to the first invention or the second invention, wherein the program code received from the outside is calculated so that the reference EDC can be calculated on the IC card side at the time of manufacture. After writing in the area, the program code area is divided into a plurality of block areas, and the reference EDC calculated from the program code in the block area is associated with the block area, and the reference EDC area for each block area after you write to, characterized in that it comprises means for implementing the process for transitioning the operation mode to the operation mode.

Furthermore, the fourth invention is an invention relating to a computer program, wherein a reference EDC calculated from a program code area storing a program code and a program code in a block area obtained by dividing the program code area into a plurality of parts is obtained. A computer program for causing an IC card provided in an electrically rewritable nonvolatile memory (hereinafter, “NVM”) to function as a reference EDC area stored for each block area in association with the block area. When the operation mode of the IC card is set to the operation mode and the command accompanied by the validity verification is received from the outside, the block area corresponding to the next block number indicating the block area subject to the validity verification The authentication EDC is calculated from the program code in the block, and the block corresponding to the block area After the irradiation EDC retrieved from the reference EDC area collates the reference EDC retrieved and computed said authentication EDC, a successful verification, the so said block region to be validity verification is switched cyclically The IC card executes a process of writing the information indicating that the verification of the validity of the program code has failed into the NVM without executing the instruction if the instruction is executed after the next block number is updated and collation fails. It is a computer program for functioning as a legitimacy verification means for cyclically switching the block area to be legitimate for verification while being activated .

  Further, according to a fifth aspect, in the computer program according to the fourth aspect, when the instruction is received from the outside, information indicating that the validity verification of the program code has failed before executing the instruction is NVM. Is a computer program for functioning as the validity verification means for confirming whether or not the information is written to the NVM and stopping the processing when the information is written to the NVM.

  As described above, the IC card according to the present invention can verify the validity of the program code stored in the NVM while sequentially changing the block area every time an instruction with validity verification is received while the IC card is activated. Therefore, even if the number of executions of the reset process is extremely small, the frequency of verifying the validity of the program code stored in the NVM is not reduced.

  In addition, since the IC card according to the present invention verifies the program code stored in the NVM in block area units, if the size of the block area is reduced, the time required for verifying the correctness of the program code is not increased. There is no loss of user convenience.

The figure explaining the IC card concerning this embodiment. FIG. 14 illustrates an IC chip. The figure explaining the structure of NVM. The figure explaining operation | movement of the IC card at the time of manufacture. FIG. 1 is a first diagram illustrating the operation of an IC card during operation. FIG. 2 is a second diagram illustrating the operation of the IC card during operation.

  A preferred embodiment of the IC card according to the present invention will be described in detail with reference to the drawings. The embodiment described below is only one embodiment of the present invention, and the present invention is not limited to the embodiment described below, and various modifications and changes are possible.

  FIG. 1 is a diagram for explaining an IC card 1 according to the present embodiment. The IC card 1 according to the present embodiment is a device that is used by being incorporated in a reader / writer unit 40 provided in an external device 4 such as a mobile phone or an automatic teller machine, and is an IC module mounted on the IC card 1 2, an IC chip 3 is mounted on a connection board 2 a provided with contact terminals according to ISO / IEC 7816-1, and the input / output terminals of the IC chip 3 correspond to the input / output terminals of the IC chip 3. The contact terminals are connected by wire bonding 2b.

  In FIG. 1, the shape of the IC card 1 is a plug-in type standardized by ISO / IEC 7816-2, such as a SIM for mobile phones and a SAM for automatic teller machines. The shape of the IC card 1 may be an ID card type or a Mini type standardized by ISO / IEC 7816-2.

  FIG. 2 is a diagram illustrating the IC chip 3 mounted on the IC module 2. As shown in FIG. 2, the IC chip 3 includes a ROM 30 as a memory in addition to a CPU 30 (Central Processing Unit) having a calculation function, a timer 31 that measures time, and a UART 32 that performs a transmission control function with the external device 4. (Read Only Memory), an electrically rewritable nonvolatile memory 35 (NVM: Non Volatile Memory), and a RAM 33 (Random Access Memory) such as an EEPROM or a flash memory.

  The program code for operating the CPU 30 of the IC chip 3 is stored in the ROM 34 and the NVM 35 of the IC chip 3, and the ROM 34 stores the program module functioning as the validity verification unit according to the present invention and the program code at the time of manufacture in the NVM 35. A program module for writing to the program is implemented.

  FIG. 3 is a diagram for explaining the structure of the NVM 35 of the IC chip 3. As shown in FIG. 3, the NVM 35 of the IC chip 3 is provided with a program code area 35 a for storing a program code and a data area 35 b for storing data. The program code area 35 a is divided into a plurality of block areas 350. Divided and managed.

  In the program code area 35a provided in the NVM 35, a program code corresponding to a command used at the time of operation is written when the IC card 1 is manufactured. The IC card 1 is legitimate from the external device 4 when the operation mode is the operation mode. When receiving an instruction accompanied by sex verification, every time the instruction is received, the process of verifying the program code in the block area 350 targeted for validity verification is sequentially performed on the block area 350 targeted for validity verification. Here, the operation is switched to cyclic.

  By switching cyclically the block area 350 to be validated and verifying the validity of the program code in the block area 350, the time required for the validity verification of the program code in one block area 350 is The time required for verifying the validity of all the program codes in the program code area 35a is shortened, and the convenience of the user is not lost during operation. If the instructions are received in the number of the block areas 350, the program code All program codes in the area 35a can be verified.

  The start address of the program code area 35a in the NVM 35 is arbitrary, and when the NVM 35 is managed by the paging method, the size of the program code area 35a is an integral multiple of a page unit (for example, 32 bytes). The size is the size obtained by dividing the program code area 35a by the number of block areas 350. For example, when the size of the program code area 35a is 1000 pages (for example, 32 kilobytes) and the number of block areas 350 is 100, the size of the block area 350 is 10 pages (for example, 320 bytes).

  A reference EDC 351 (EDC: Error Detection Code) that is referred to when the validity verification of the program code is performed is stored in the data area 35b, and the data area 35b overlaps with the program code area 35a as shown in FIG. In the data area 35b that is set in the NVM 35 so as not to be present and provided in the NVM 35, a reference EDC area 35c for storing a reference EDC 351 used for verifying the validity of the program code is provided.

  The size of the reference EDC area 35 c provided in the data area 35 b depends on the size of the reference EDC 351 and the number of block areas 350. For example, when the reference EDC 351 is a 2-byte CRC and the number of block areas 350 is 100, the size of the reference EDC area 35c is 200 bytes.

  In the present embodiment, when the validity verification is performed, each block area 350 is managed using a block number, and the reference EDC 351 that is a result of calculating the digest of the program code in each block area 350 is referred to in block number order. It is stored in the EDC area 35c.

  In FIG. 3, the block number is enclosed in parentheses, and the reference EDC 351 (1) of the head block area 350 (1) is stored at the head of the reference EDC area 35c. The reference EDC 351 (2) of the second block area 350 (2) is stored in the reference EDC area 35c next to the reference EDC 351 (1), that is, second.

  In addition, in the data area 35b of the NVM 35, mode identification information 352 indicating the operation mode of the IC card 1 and the validity verification result of the program code area 35a, in addition to the reference EDC 351 referred to when the validity of the program code is verified. The validity verification information 353 to be shown, the next block number 354 to indicate the block area 350 to be verified next, and the division number 355 of the program code area 35a are stored as the number of block areas 350.

  From here, operation | movement of the IC card 1 at the time of manufacture is demonstrated. FIG. 4 is a diagram for explaining the operation of the IC card 1 at the time of manufacture. When the IC card 1 is issued, the mode identification information 352 stored in the NVM 35 is a value indicating a manufacturing mode in which the program code can be written to the NVM 35. The IC card 1 is a command for writing the program code to the NVM 35. Is received from the IC card issuer, the program codes received from the IC card issuer are written in order from the top address of the program code area 35a provided in the NVM 35 (S1). Note that an instruction for writing a program code to the NVM 35 is stored in the ROM 34.

  When the writing of the program code to the NVM 35 is completed, the IC card 1 receives from the IC card issuer a mode transition command for switching the operation mode of the IC card 1 to an operation mode in which the program code cannot be written (S2). ). The mode transition instruction may be a dedicated instruction, but the completion of writing the program code may be handled as a mode transition instruction.

  When a mode transition command for switching the operation mode of the IC card 1 is received from the IC card issuer, the IC card 1 confirms the mode identification information 352 stored in the NVM 35 (S3), and is manufactured based on the mode identification information 352. If the mode is not indicated, it is determined that the state of the IC card 1 is abnormal, abnormal response information is returned to the IC card issuing machine (S13), and this procedure is terminated.

  Further, if the manufacturing mode is indicated by the mode identification information 352, the IC card 1 sets the start address of the program code area 35a to the code address pointer indicating the start address when calculating the reference EDC 351 (S4), Further, the head address of the reference EDC area 35c is set in the EDC address pointer indicating the head address for storing the reference EDC 351 (S5).

  Next, the IC card 1 calculates the digest of the block area 350 starting from the code address pointer as the reference EDC 351 of the block area 350 (S6), and in the area in the reference EDC area 35c indicated by the EDC address pointer, By copying the calculated reference EDC 351, the calculated reference EDC 351 is written in the reference EDC area 35c of the NVM 35. (S7).

  When the calculated reference EDC 351 is written in the reference EDC area 35c of the NVM 35, the IC card 1 adds the size of the block area 350 to the code address pointer (S8), and further adds the EDC size to the EDC address pointer ( S9) It is confirmed whether the code address pointer has reached the end of the program code area 35a (S10). If the code address pointer has not reached the end of the program code area 35a, the process returns to S6 in FIG. 350 reference EDCs 351 are calculated.

  When the code address pointer reaches the end of the program code area 35a, the IC card 1 rewrites the mode identification information 352 stored in the NVM 35 to a value indicating the operation mode, thereby operating the operation mode of the IC card 1. Is transferred from the manufacturing mode to the operation mode (S11), and normal response information indicating that the operation mode of the IC card 1 has normally shifted to the operation mode is transmitted to the IC card issuing machine (S12). Exit.

  From here, the operation of the IC card 1 during operation will be described. FIG. 5 is a first diagram illustrating the operation of the IC card 1 during operation, and is a diagram illustrating the operation of the IC card 1 during reset processing.

  When a reset signal is received from the reader / writer unit 40 of the external device 4 (S20), the IC card 1 confirms the mode identification information 352 stored in the NVM 35 to confirm the operation mode at this time (S21).

  When the operation mode at this time is the operation mode, the IC card 1 sets the next block number 354 stored in the NVM 35 to “1” (S22), and transmits an initial response message to the external device 4 (S23). ), The IC card 1 is in a command reception waiting state (S24).

  Further, when the operation mode at this time is not the operation mode, the IC card 1 transmits the initial response information to the external device 4 without setting the next block number 354 stored in the NVM 35 to “1” ( In step S23, the IC card 1 waits for receiving an instruction (S24).

  FIG. 6 is a diagram illustrating the operation of the IC card 1 during operation, and is a diagram illustrating the operation of the IC card 1 during command processing. When the IC card 1 receives a command for operation from the external device 4 in the command reception waiting state (S30), the IC card 1 first confirms the operation mode at this time (S31) and operates at this time. If the mode is not the operation mode, the IC card 1 stops processing (S45).

  When the operation mode at this time is the operation mode, the IC card 1 confirms the validity verification information 353 stored in the NVM 35 (S32), and “abnormal” is indicated by the validity verification information 353. In this case, the IC card 1 stops processing (S45).

  When the normality verification information 353 stored in the NVM 35 indicates “normal”, the IC card 1 determines the type of instruction received from the external device 4 and executes the program code corresponding to the instruction. (S33).

  If the instruction received from the external device 4 is not an instruction accompanied by verification of the validity of the program code, the IC card 1 executes the program code corresponding to the instruction (S42). Here, the validity of the program code is confirmed. The execution result of the instruction is transmitted to the external device 4 without operating the program module to be verified (S43).

  The instruction accompanied by the verification of the correctness of the program code is described so as to operate the program module for verifying the correctness of the program code. In this case, the IC card 1 performs the processing described below by operating the program module by the instruction.

  When verifying the validity of the program code, first, the IC card 1 acquires the next block number 354 from the data area 35c (S34), and the IC card 1 determines the next block number 354, the size of the block area 350, and the program code. Using the start address of the area 35a, the start address of the block area 350 to be verified is obtained (S35), and the authentication EDC that is the digest of the block area 350 starting from the start address is calculated (S36). ).

  When the authentication EDC is calculated, the IC card 1 uses the next block number 354, the head address of the reference EDC area 35c, and the size of the EDC to refer to the reference EDC 351 corresponding to the block area 350 to be verified. A search is performed from the EDC area 35c (S37), and the calculated authentication EDC is compared with the searched reference EDC 351 (S38).

  If the calculated authentication EDC and the retrieved reference EDC 351 do not match, the IC card 1 sets the validity verification information 353 stored in the NVM 35 to “abnormal” (S44), and stops the processing (S45). .

  Further, when the calculated authentication EDC matches the searched reference EDC 351, the IC card 1 adds “1” to the next block number 354 (S39), and then the next block number 354 becomes the division number 355 of the program code area 35a. (S40).

  When the next block number 354 exceeds the division number 355 of the program code area 35a, the IC card 1 sets the next block number 354 to “1” (S41), and then a program corresponding to the command received from the external device 4 The code is executed (S42), the execution result is transmitted to the external device 4 (S43), and the process returns to the instruction waiting state.

  Further, the IC card 1 does not set the next block number 354 to “1” when the next block number 354 does not exceed the division number 355 of the program code area 35a, and the program corresponding to the command received from the external device 4 The code is executed (S42), the execution result is transmitted to the external device 4 (S43), and the process returns to the instruction waiting state.

1 IC card 2 IC module 3 IC chip 30 CPU
34 ROM
35 NVM (Non Volatile Memory)
35a Program code area 35b Data area 35c Reference EDC area 350 Block area 351 Reference EDC
352 Mode identification information 353 Validity verification information 354 Next block number 355 Number of divisions 4 External device 40 Reader / writer unit

Claims (5)

An IC card having an electrically rewritable nonvolatile memory (hereinafter, “NVM”),
A reference stored in each block area corresponding to the block area, a program code area storing the program code, and a reference EDC calculated from the program code in the block area obtained by dividing the program code area into a plurality of blocks An EDC region is provided in the NVM,
When the operation mode of the IC card is set to the operation mode, if an instruction with validity verification is received from the outside, the block area corresponding to the next block number indicating the block area subject to the validity verification of calculating the program code from the authentication EDC, after searching the reference EDC corresponding to the block region from the reference EDC area collates the reference EDC retrieved and computed said authentication EDC, a successful verification, legitimate The next block number is updated so that the block area to be verified is switched to the next block area, the instruction is executed, and if verification fails, the program code is validated without executing the instruction. the process of writing the information indicating the failure in sex validation NVM, while the IC card is activated, a positive IC card according to claim that it comprises a validity verification means for performing switches the block area to be sexual verification cyclically.   When the validity verification means receives the instruction from the outside, before executing the instruction, the validity verification means checks whether information indicating that the validity verification of the program code has failed is written in the NVM. 2. The IC card according to claim 1, wherein the processing is stopped when the data is written in the NVM. After the program code received from outside is written in the program code area, the program code area is divided into a plurality of block areas, and the reference EDC calculated from the program code in the block area is associated with the block area wherein after you write to the reference EDC area for each block area, characterized in that it comprises means for implementing the process for transitioning the operation mode to the operation mode, to claim 1 or claim 2 Te The described IC card. A reference stored in each block area corresponding to the block area, a program code area storing the program code, and a reference EDC calculated from the program code in the block area obtained by dividing the program code area into a plurality of blocks The EDC area is a computer program for causing an IC card provided in an electrically rewritable nonvolatile memory (hereinafter referred to as “NVM”) to function.
When the operation mode of the IC card is set to the operation mode, if an instruction with validity verification is received from the outside, the block area corresponding to the next block number indicating the block area subject to the validity verification of calculating the program code from the authentication EDC, after searching the reference EDC corresponding to the block region from the reference EDC area collates the reference EDC retrieved and computed said authentication EDC, a successful verification, legitimate The next block number is updated so that the block area to be verified is switched to the next block area, the instruction is executed, and if verification fails, the program code is validated without executing the instruction. the process of writing the information indicating the failure in sex validation NVM, while the IC card is activated, a positive Computer program for functioning as a validity verification means for implementing switches the block area to be sexual verification cyclically. When the instruction is received from the outside, before executing the instruction, it is confirmed whether information indicating that the verification of the validity of the program code has failed is written in the NVM, and the information is written in the NVM. The computer program according to claim 4, which functions as the validity verification unit that stops processing.

Images