JP6394328B2 - IC card and display control method thereof - Google Patents

Description

  The present invention relates to an IC card and a display control method thereof, and more particularly to an IC card having a display function in which at least one application program (hereinafter simply referred to as “application”) is mounted and a display control method thereof.

  In recent years, instead of magnetic cards having a magnetic recording layer formed on credit cards and cash cards, IC cards having a much higher storage capacity and higher security than magnetic cards are used in a wide range of fields.

  The IC card has a contact type IC card that is connected to an external device through a contact, a non-contact type IC card that has an antenna and communicates with the external device through the antenna, and has both functions described above. There are both contact type / non-contact type cards that are used, and these cards are selectively used according to the purpose.

  Non-contact type IC cards do not need to be inserted into an external device during communication, so the processing time is short, and since there is no contact, there is no trouble with poor connection of the card to the external device. A highly functional system can be constructed. The non-contact type IC card has an antenna unit for receiving radio waves inside the card, and not only information but also power necessary for driving the IC circuit is supplied via this antenna. The external device wirelessly accesses the contents recorded in the memory of the IC chip in the IC card, and reads out necessary data or writes new data.

  Currently, there is known an IC card with a display function in which a display unit is formed on such an IC card and a part of information recorded in the memory of the IC chip is displayed on the display unit ( For example, see Patent Document 1).

JP 2003-6591 A

Quantum Nakata “Latest Trends in Hardware Vulnerability Assessment Technology” Information-technology Promotion Agency, May 2013

  Since the IC card stores highly confidential information such as personal information and points, the information stored in the IC card may be used illegally. For example, Non-Patent Document 1 introduces a technique for attacking such an IC card.

  In particular, if the use of the IC card is stopped due to expiration of the IC card, member withdrawal, return due to withdrawal from the subscription service, etc., means are required to prevent unauthorized use of the information stored inside. .

  In the case of a conventionally known IC card without a display function, two methods are known as processing when the use of the IC card is stopped.

  In the first method, the IC card is closed (card block). In this case, a card block (card block) command is transmitted from an external device such as a reader / writer to the IC card. In response to the command, the IC card updates the control information so that the IC card does not operate thereafter. Specifically, an information flag (HALT flag) for managing activation of the IC card is set. Thereafter, the CPU processing itself is blocked, and even if an activation command is received from an external device, the IC card is not activated.

  In the second method, use of an application mounted on the IC card is stopped. The IC card holds information indicating an application state in application management information stored therein, and a value indicating whether or not the application can be accessed is set in the information. When the execution of an application is instructed from an external device, the IC card checks application management information to determine whether access is possible. Therefore, in this method, an application use stop (application block) command is transmitted from the external device. In response to the command, the IC card updates information indicating the application state in the application management information stored therein, and sets a value indicating suspension of use. Thereafter, when the execution of the application is instructed from the external device, the IC card confirms the application management information, and when it is determined that the access is impossible, the execution of the requested application is stopped.

  However, in the conventional method for preventing unauthorized use described above, in the case of an IC card having a display function, the data displayed immediately before remains on the display unit of the card. For this reason, there is a possibility that displayed data may be read and used illegally by some method, which is problematic from the viewpoint of security.

  The present invention has been made in view of such problems, and an object of the present invention is to provide an IC card capable of preventing unauthorized use of displayed information in an IC card having a display function, and display control thereof. It is to provide a method.

  In order to solve the above problem, the present invention erases display data by incorporating a function for erasing display data into a series of processes based on an application use stop (application block) instruction or a card close (card block) instruction. It was decided to.

  An IC card according to the present invention receives a signal from the outside, a display unit that displays information, a storage unit that stores the information, a control unit that displays information stored in the storage unit on the display unit, An IC card including a communication unit, wherein the control unit corresponds to the command stored in the storage unit when receiving a command to stop at least a part of the function of the IC card by the communication unit The information is set to be unusable, and the information displayed on the display unit is deleted.

  Here, the instruction may be an application program stop instruction.

  Further, the command may be a closing processing command for the IC card.

  The storage unit stores a plurality of application programs, and the control unit sets the application program corresponding to the stop instruction received by the communication unit and the corresponding information to be unavailable. be able to.

  Moreover, the said control part shall display on the said display part the information different from this displayed information, when erasing the information displayed on the said display part.

  The different information may be information indicating that the function corresponding to the command is stopped.

  According to another aspect of the present invention, a display control method according to the present invention includes an IC card including a display unit that displays information, a storage unit that stores the information, and a communication unit that receives a signal from the outside. Is a display control method executed by the communication unit, wherein the communication unit receives a command to stop at least a part of the functions of the IC card, and the information corresponding to the command stored in the storage unit is disabled. And setting and erasing the information displayed on the display unit.

  Here, the instruction may be an application program stop instruction.

  Further, the command may be a closing processing command for the IC card.

  The storage unit stores a plurality of application programs, and the control unit sets the application program corresponding to the stop command received in the receiving step and the corresponding information to be unavailable. can do.

  Further, the erasing step may cause the display unit to display information different from the displayed information when erasing the information displayed on the display unit.

  The different information may be information indicating that the function corresponding to the command is stopped.

  According to the present invention, unauthorized use of displayed information can be prevented in an IC card having a display function.

1 is an external configuration diagram of an IC card with a display function according to an embodiment of the present invention. It is a block diagram which shows the hardware constitutions inside the IC card with a display function which concerns on embodiment of this invention. It is a block diagram which shows the function structure of the IC card with a display function which concerns on embodiment of this invention. It is a figure showing an example of data memorized by memory of an IC card concerning an embodiment of the present invention. It is a figure which shows the example of AP status information which concerns on embodiment of this invention. It is a flowchart of the main routine process of the IC card according to the embodiment of the present invention. It is a flowchart of the process of AP block command which concerns on embodiment of this invention. It is a figure which shows notionally the structure of the starting management information which concerns on embodiment of this invention. It is a flowchart of the main routine process of the IC card according to the embodiment of the present invention. It is a flowchart of the process of the card | curd closure command which concerns on embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is an external configuration diagram of an IC card with a display function according to the present embodiment. The IC card 100 has a contact terminal 102 and a display unit 104 on the surface of the card.

  The contact terminal 102 is a terminal for directly connecting to a terminal provided in an external device such as a reader / writer to receive power and perform communication. The display unit 104 can be configured by, for example, a liquid crystal display. Various information is displayed on the display unit 102 according to the application. For example, in the case of a card for financial transactions, information such as a cash balance, the number of points according to the transaction amount, and a transaction history can be displayed.

  Although FIG. 1 shows a contact IC card having a contact terminal, it is a non-contact IC card that does not have a contact terminal and communicates by receiving power supplied from an external reader / writer by electromagnetic waves through an antenna coil. There may be. Further, it may be an IC card having both non-contact type and contact type functions.

  The display function of the IC card 100 can be of a type that retains the display content of the display unit 104 even when power is not supplied from an external device such as a reader / writer. In this case, a battery may be incorporated in order to hold the display content of the display unit 104.

  FIG. 2 is a block diagram showing a hardware configuration inside the IC card with a display function according to the present embodiment.

  The IC card 100 includes at least an IC chip 202, an external output controller 204, and an external input controller 206. The CPU 210 of the IC chip 202 is connected to the external output controller 204 and the external input controller 206 via a bus, and transmits and receives signals to and from these controllers. The IC chip 202 is configured to communicate with an external device 220 such as a reader / writer.

  The IC chip 202 includes a CPU 210, a memory 212, a communication unit 216, and various control registers 218. The CPU 210 performs arithmetic processing based on the input information. The memory 212 stores information and can include a non-volatile memory such as EEPROM or FeRAM and / or a volatile memory such as DRAM or SRAM. The memory 212 stores a program 214 that is read and executed by the CPU 210. The program 214 includes an operating system and application programs.

  Operating system receives instructions, sends responses, memory management (application, access to multiple files in application, access to multiple data in files), cryptographic processing, countermeasures against unauthorized attacks, etc. Manages basic processing as an IC card. Each application runs on the operating system. For example, when the operating system receives a read command, it passes this command to the corresponding application. When an application accesses data specified by a read command, the application instructs a logical address (or logical record number) to the operating system. The operating system converts the logical information into a physical address and delivers predetermined data to the application.

  The communication unit 216 exchanges signals with the external device 220 and the CPU 210. Here, the communication with the external device 220 may be performed by a procedure based on ISO 7816-3 or ISO 14443 defined as an international standard, for example. The control register 218 is used to hold the calculation result by the CPU 210 and the execution state of the program.

  The external output controller 204 controls an output device such as the display unit 104 to output information. The output device can include a display unit 104 configured by a display and an audio output unit (not shown) such as a speaker.

  The external input controller 206 is configured to receive a signal input from the keypad 208 and transmit it to the CPU 210. The keypad 208 detects a pressing operation by a user's finger and converts it into an electrical signal. As a method for detecting the pressing operation, a pressure sensitive method using a finger pressure with respect to each key constituting the keypad, an electrostatic method using static electricity, or the like can be used. The keypad 208 is an example of an input device mounted on the IC card 100. For example, another input device such as a microphone may be used.

  FIG. 3 is a block diagram showing a functional configuration of the IC card with a display function according to the present embodiment.

  The IC card 100 includes an initial setting unit 302, a command determination unit 304, a memory control unit 306, a display control unit 308, and a response data generation unit 310.

  The initial setting unit 302 is configured to activate the IC card when the IC card 100 is turned on and perform initial setting. The command determination unit 304 determines whether a command received or input from the outside can be executed. The memory control unit 306 performs determination based on information stored in the memory 212 and editing of the information.

  The display control unit 308 is configured to control the display unit 104 to delete or update the content displayed on the display unit. The response data generation unit 310 performs information processing according to the received command and generates response data. The response data generated here can include both data returned to the external device 220 and data displayed on the display unit 104.

(First embodiment)
Hereinafter, information display processing performed using the IC card configured as described above will be described.

  In the first embodiment of the present invention, the IC card 100 stores a plurality of applications. FIG. 4 shows an example of data stored in the memory 212 of the IC card 100 for managing applications. In the figure, addresses (AD01 to AD04) in the memory are shown on the left side. On the right side, area names (display function management area 416, AP (application) management information area 401, and AP management area 402) defined in the memory are shown.

  The display function management area 416 includes display AP information. In the display AP information, a program ID (identifier) of an application for displaying information on the display unit 104 of the IC card 100 is stored. In the figure, the program ID of an application that displays information on the display unit 104 is 02.

  In the AP management information area 401 starting from the address AD00, information regarding each of a plurality of programs stored in the IC card 100 is stored. Information about each program includes an AP management ID, a head address, an AP management size, an access condition, and AP state information.

  The AP management ID indicates the program ID of each application. The start address indicates the start address of the memory area used when executing the application. The AP management size indicates the size from the top address managed by the application.

  The access condition indicates a condition for restricting the execution of various instructions for each application.

  For example, it is assumed that a subject who accesses a card is a card issuer, an application manager, or a card holder. In this case, each password is set in the IC card. For example, assume that the access conditions as shown in the table below are set.

  In this case, the application with the AP management ID = 01 satisfies the execution condition of the data read command if the card holder password is verified or the application administrator password is verified unless the application is in the block. However, since the application with the AP management ID = 01 in FIG. 4 is in a block, the access condition is not satisfied.

  Further, since the application with the AP management ID = 02 is not in the block state, the execution condition of the data read command is satisfied if the cardholder password is verified.

  Furthermore, since the application with the AP management ID = 03 is in an unissued state, the access condition is not set and the access condition is not satisfied.

  An application block command can be executed if the application manager password is collated for both AP management ID = 01 and 02. In the above table, the access conditions in the application with the AP management ID = 01, 02 are the same, but different settings may be used.

  The card block command can be executed if the card issuer password is collated for both AP management ID = 01 and 02. In the above table, the access conditions are the same, but they may be set differently.

  The AP status information indicates the status of the application, and manages, for example, information indicating the IC card issue status.

  In the example shown in the figure, the IC card 100 stores three applications with AP management IDs = 01, 02, and 03. For the application with AP management ID = 01, the head address is AD01, the AP management size is SZ01, the access condition is AC01, and the AP status information is 00000011. Details of the AP state information will be described later.

  Areas for three applications are allocated after the address AD01 of the memory 212. An area starting from the address AD01 is allocated to the application AP (01) with the AP management ID = 01. An area starting from the address AD02 is allocated to the application AP (02) having the AP management ID = 02. An area starting from the address AD03 is allocated to the application AP (03) having the AP management ID = 03.

  Next, AP state information will be described with reference to FIG. The AP state information can be rewritten by a command from an external device. This rewriting process is executed by the operating system.

  8 bits are assigned to the AP status information, and 6 bits from the top (most significant bit) are unused (0: fixed). The seventh digit from the head indicates the application issuance status, 0 indicates unissued, and 1 indicates issued. Generally, “unissued” indicates that the personal information of the user associated with the application is not stored, and “issued” indicates that the personal information of the user associated with the application is stored and the IC card can be used. Indicates.

  The least significant bit indicates the block state of the application, 0 indicates that the application can be used (No), and 1 indicates that the application cannot be used (Yes). This block state value can be set to 1 in response to an application block instruction and reset to 0 in response to an application unblock instruction.

  Returning to FIG. 4, for the application AP (01) with AP management ID = 01, the block status bit of the AP status information is 1 (block status: Yes). The area for the application AP (01) starts from the address AD01, but the data in this area is blocked.

  For the application AP (02) with the AP management ID = 02, the block status bit of the AP status information is 0 (block status: No). Further, referring to the display AP information indicates that the execution result of this application is displayed on the display unit 104. Therefore, a part of the data in the area starting from the address AD02 is displayed on the display unit 104.

  Further, for the application with AP management ID = 03, the AP status information issuance status bit is 0 (not issued), and therefore, the application is in an unissued status.

  FIG. 6 is a flowchart showing the flow of the main routine process of the IC card according to the present embodiment.

  In step S5011, when power is supplied from the external device 220 to the IC card 100, the IC card 100 is activated, and the initial setting unit 302 performs initial setting. Here, the IC card 100 may be activated by receiving a reset instruction instead of supplying power.

  In step S5012, the response data generation unit 310 transmits an initial response (Answer to Reset data) to the external device 200. This Answer to Reset data includes information such as communication specifications of the IC card 100. Thereafter, the process proceeds to step S5013, and the IC card 100 waits to receive a command from the external device 220. In step S5013, the command determination unit 304 periodically determines whether an instruction has been received from the external device 220.

  When the IC card 100 receives a command from the external device 220, the process proceeds to step S5014, and the command determination unit 304 determines whether or not the command can be executed. Specifically, this determination is made with reference to the access conditions in the AP management information.

  If it is determined that the received command cannot be executed (No route in step S5015), the process proceeds to step S5016, and error information is generated by the response data generation unit 310 and transmitted to the external device 220 (step S5018). ). Then, the process returns to step S5013 to enter a standby state in order to receive the next command.

  On the other hand, if it is determined that the received command can be executed, the process proceeds to step S50017, the response data generation unit 301 executes the process based on the corresponding command, and the external device 220 determines whether the received command is executable. A response message is transmitted (step S5018). Then, the process returns to step S5013 to enter a standby state in order to receive the next command.

  Next, processing of an AP block command executed by the IC card will be described with reference to FIG.

  The flowchart of FIG. 10 is executed in step S5017 when an AP block instruction is received in the main routine process of FIG. 6 and the execution condition is satisfied. First, in step S6001, when an AP block command for a specific application is received, an application designated by the command is searched. Next, in step S6002, the memory control unit 306 sets the block status flag of the AP status information in the AP management information to 1, and puts the corresponding application in the block status.

  In step S6003, the command determination unit 304 confirms whether the blocked application is an application related to data displayed on the display unit 104. Specifically, this process is performed by confirming whether or not the value stored in the display AP information in the display function management information is equal to the ID of the application blocked in step S6002. If the value of the display AP information is different from the blocked application ID (No route in step S6004), the process proceeds to step S6007, and the response data generation unit 310 creates a response message as a processing result. On the other hand, if the value of the display AP information is equal to the blocked application ID (Yes route in step S6004), the process proceeds to step S6005, and the display control unit 308 deletes the data in the display unit 104. Here, erasing is only required to display data different from the currently displayed data because it is sufficient that the displayed information cannot be recognized or used. For example, an image painted with one color may be displayed on the display unit 104, or a random pattern may be displayed.

  In step S6006, the memory control unit 306 updates the display AP information in the display function management information to “non-display”. When updating to “non-display”, a value not used by the AP management ID in the AP management information is determined in advance as a value of “non-display” state (for example, 00h or FFh), and updated to that value. Can be updated to “hidden”.

  Next, the process proceeds to step S6007, and the response data generating unit 310 creates a response message as a processing result.

  Thereafter, the process returns to the flow of the main routine process shown in FIG. 6, and the response data generation unit 310 transmits a response to the external device 220 based on the processing result (step S5018).

(Second Embodiment)
Next, a second embodiment of the present invention will be described. In the present embodiment, the data displayed on the display unit is erased when the IC card closing process is performed.

  As the IC card according to the present embodiment, one having the same configuration as that described above with reference to FIGS. 1 and 2 can be used. However, in the hardware configuration inside the IC card with a display function shown in FIG. 2, the non-volatile memory of the memory 212 according to the present embodiment includes activation management information used as follows.

  FIG. 8 is a diagram illustrating a configuration example of the activation management information. In the activation management information, a flag value confirmed by the CPU 210 when the IC chip 202 is activated is set, and the CPU 210 manages activation of the IC card 100 according to the state indicated by the flag value. In the example shown in the figure, in the activation management information, a HALT (blocking) mode flag and a timer monitoring flag are set in order from the least significant bit.

  If 1 (selected state) is set in the HALT mode flag, the subsequent processing is not performed, and the state is shifted to the card closed state and maintained. Normally, the HALT mode flag is set to 0 (non-selected state), and a response message is transmitted by executing a command received from the outside.

  When the timer monitoring flag is set to 1 (selected state), the CPU 210 monitors so that the processing time from the reception of the command by the IC card to the transmission of the response message does not exceed the specified time. When 0 (non-selected state) is set in the timer monitoring flag, the processing time is not monitored.

  FIG. 9 is a flowchart showing a flow of main routine processing of the IC card according to the present embodiment.

  In step S8001, when power is supplied from the external device 220 to the IC card 100, the initial setting unit 302 activates the IC card 100 and executes initial setting. Here, the IC card 100 may be activated by receiving a reset instruction instead of supplying power.

  Next, in step S8002, the memory control unit 306 checks the value of the HALT mode flag in the startup management information. When the HALT mode flag is 1 (selected state) (No route in step S8003), the process proceeds to step S8010, and the memory control unit 306 shifts the IC card 100 to the closed state.

  On the other hand, when the HALT mode flag is 0 (non-selected state) (Yes route in step S8003), in step S8004, the response data generation unit 310 transmits the first response (Answer to Reset data) to the external device 220. This Answer to Reset data includes information such as communication specifications of the IC card 100. Thereafter, the process proceeds to step S8005, and the IC card 100 waits to receive a command from the external device 220. In step S8005, the command determination unit 304 periodically determines whether an instruction has been received from the external device 220.

  When the IC card 100 receives a command from the external device 220, the process proceeds to step S8006, and the command determination unit 304 determines whether or not the command can be executed.

  If it is determined that the received command cannot be executed (No route in step S8007), the process proceeds to 8011, where error information is generated by the response data generation unit 310 and transmitted to the external device 220 (step S8009). . Then, the process returns to step S8005 to enter a standby state in order to receive the next command.

  On the other hand, if it is determined that the received command is executable (Yes route in step S8007), the process proceeds to step S8008, the response data generation unit 310 executes a process based on the corresponding command, and the process result is obtained. Based on this, a response message is transmitted to the external device 220 (step S8009). Then, the process returns to step S8005 to enter a standby state in order to receive the next command.

  Next, with reference to FIG. 10, the processing of the card closing command executed by the IC card will be described.

  The flowchart of FIG. 9 is executed in step S8010 of the main routine process shown in FIG. The processing of the card closing command is executed when the IC card 100 satisfies the execution condition when receiving the card closing command from the external device 220.

  First, the memory control unit 306 sets the HALT flag of the activation management information to “1” (selected state) so that the IC card 100 is not activated at the next activation (reset) (step S9001).

  Next, in step S9002, the data displayed on the display unit 104 is erased. Here, “erasing” is performed as long as the displayed information cannot be recognized or used. For example, an image in which the display unit 104 is filled with one color may be displayed, or a random pattern may be displayed.

  Next, the process proceeds to step S9003, and the display control unit 308 causes the display unit 104 to display data different from the currently displayed information. For example, character information such as “discard”, “use prohibited”, “xxxxxxxx” may be displayed in order to visually notify that the IC card with the display function cannot be used.

  Then, the process proceeds to step S9004, where the response data generation unit 310 creates a response message indicating that the above processing has been executed, and transmits the response message to the external device 220.

  After that, even when power is supplied to the IC card 100 again, when the CPU 210 refers to the startup management information and confirms that the flag for the HALT mode is set, the IC card 100 shifts to the HALT mode, and the card itself It becomes blocked. In this way, the IC card 100 does not receive a command.

  As described above, according to the above-described embodiment, when an instruction to stop at least some of the functions of the IC card is received, information corresponding to the instruction stored in the storage unit is set to be unavailable and displayed. The information displayed on the section can be deleted. As a result, it is possible to prevent unauthorized use of displayed information in an IC card having a display function.

  In addition, it cannot be overemphasized that the some embodiment mentioned above can be used combining each form suitably.

  The present invention can be used for an IC card having a display function widely used as a bank card, a credit card, a transportation card or the like.

DESCRIPTION OF SYMBOLS 100 IC card 102 Contact terminal 104 Display part 202 IC chip 204 External output controller 206 External input controller 208 Keypad 210 CPU
212 Memory 216 Communication Unit 218 Control Register 220 External Device 302 Initial Setting Unit 304 Command Determination Unit 306 Memory Control Unit 308 Display Control Unit 310 Response Data Control Unit

Claims (12)

A display for displaying information;
A storage unit storing the information;
A control unit that causes the display unit to display information stored in the storage unit;
An IC card having a communication unit for receiving a signal from the outside,
When the control unit receives an instruction to stop at least a part of the functions of the IC card by the communication unit, the control unit sets information corresponding to the command stored in the storage unit to be unavailable, and the display unit An IC card characterized by erasing information displayed on the card.   The IC card according to claim 1, wherein the command is a command to stop an application program.   The IC card according to claim 1, wherein the instruction is an instruction to close the IC card.   The storage unit stores a plurality of application programs, and the control unit sets the application program corresponding to the stop command received by the communication unit and the corresponding information to be unavailable. The IC card according to claim 2.   The said control part makes the said display part display the information different from this displayed information, when erasing the information displayed on the said display part, The said display part is characterized by the above-mentioned. IC card.   6. The IC card according to claim 5, wherein the different information is information indicating that a function corresponding to the command is stopped. A display for displaying information;
A storage unit storing the information;
A display control method executed by an IC card including a communication unit that receives a signal from the outside,
Receiving a command to stop at least a part of the functions of the IC card by the communication unit;
And a step of setting the information corresponding to the command stored in the storage unit to unusable and erasing the information displayed on the display unit.   The display control method according to claim 7, wherein the instruction is an application program stop instruction.   The display control method according to claim 7, wherein the command is a command for closing the IC card.   The storage unit stores a plurality of application programs, and the control unit sets the application program corresponding to the stop command received in the receiving step and the corresponding information to be unavailable. The display control method according to claim 8.   The display control method according to claim 7, wherein in the erasing step, information different from the displayed information is displayed on the display unit.   The display control method according to claim 11, wherein the different information is information indicating that a function corresponding to the command is stopped.

Images