HK1062722B - Data processing method and its apparatus - Google Patents
Data processing method and its apparatus Download PDFInfo
- Publication number
- HK1062722B HK1062722B HK04104630.4A HK04104630A HK1062722B HK 1062722 B HK1062722 B HK 1062722B HK 04104630 A HK04104630 A HK 04104630A HK 1062722 B HK1062722 B HK 1062722B
- Authority
- HK
- Hong Kong
- Prior art keywords
- data
- circuit
- processing
- card
- program
- Prior art date
Links
Description
Technical Field
The present invention relates to a data processing method useful in the case of performing exchange over a network using an IC (integrated circuit) embedded in a card or a mobile terminal device, a device therefor, a program therefor, a semiconductor circuit, and an authentication device.
Background
Currently, communication systems using IC cards and the like for transactions over the internet and other networks are being developed.
In such a communication system, a server receives a processing request for using an IC card from a reader/writer of the IC card or a PC (personal computer), and performs user authentication, data encryption and decryption, and other processing.
However, in the communication system described above, a case is assumed where processing requests for a large number of IC cards are received simultaneously or in a short time.
In this case, the server must be able to efficiently handle such processing requests.
Further, the server sometimes executes several applications that process procedures related to several settlement services, and performs processing with the selected application by making use of the processing request. Such processing requests must also be handled efficiently.
Further, in the communication system described above, the application executed by the server must specify a code for accessing the IC card using the key information and an operation command for operating the IC card. Here, if security of a transaction using an IC card is required, key information and an operation command may be known only by an administrator of the server.
Thus, in the past, a manager of the server has generated and customized an application program upon request from the service provider.
However, in the case where the administrator of the server generates and customizes the application in this manner, there is a problem in that the burden on the administrator becomes heavy.
Furthermore, in the server described above, several applications of credit card companies or other enterprises are running. Such applications are produced by a single enterprise and downloaded to a server by using a personal computer or the like.
However, as mentioned above, when the above-mentioned server runs several enterprise applications, it is necessary to ensure that the processing of each application is not monitored or disturbed by another application.
On the other hand, various services are required to be provided when data is transferred between applications.
In addition, individual enterprises download their applications to servers and then debug the applications as needed.
However, when each enterprise downloads applications to the server in this manner and debugs the applications, it is necessary to prevent programs in the server from being illegally disturbed.
One technique to achieve this is an authentication processing technique that uses key information when accessing a server. But such key information is usually stored in a memory of a terminal device (personal computer), and thus there is a possibility of illegal use and a security problem.
Furthermore, the LSI forming the server has a built-in CPU. The CPU sometimes accesses a memory located outside the LSI chip.
In this case, data flows through a bus provided between the LSI chip and the external memory, so that the data can be checked by probing the bus.
However, when the above-described server performs electronic commerce transactions, personal authentication, and other highly confidential processes, as described above, if data is detected, there is a problem in terms of security.
Further, the server described above may be constituted by a single computer.
In this case, a single computer runs several programs related to several services provided by different enterprises. When these services handle highly confidential data, such as data related to settlement, there is a possibility that highly confidential data owned by each enterprise is illegally acquired or tampered by another enterprise.
Further, when a conventional computer is used as the computer as described above, there is a problem as described below.
Fig. 133 shows a basic configuration of a general computer 601.
In a computer 601 shown in fig. 133, a CPU 602 performs processing using instructions and data read from a memory 603.
The CPU 602 outputs an access address in the memory 603 to an address bus 604.
Further, the CPU 602 performs read/write operations on the memory 603 according to the control signal S602.
The module a, the module B, and the module C stored in the memory 603 are processing units of a program having a special function.
At the time of developing the program, the debugging program 605 checks the operation of the CPU 602. It uses the HLAT signal to temporarily interrupt the operation of the CPU 602, reads internal information of the CPU 602, and notifies the program developer of the information.
Here, in fig. 133, it is assumed that module a has a basic function used by module B or module C.
Here, it is assumed that the routines of the basic functions contained in the module a are highly confidential. In this case, since module a is a basic function, it must provide an environment that enables developers of module B or module C to develop their programs. One way to achieve this is a method of distributing a library of functions.
This is expressed in a mid-level language between a high-level language and a machine language (often referred to as "assembly language"), but is fairly easy to analyze. The processing routines of the program that require privacy are most likely to be known at the end.
Further, another way is to store the basic module (module a in this example) in the memory 603 in advance, instead of using it as a function library, and the developer develops the software assuming that the basic module exists in a specific location.
However, even with this method, there is still a problem that it is difficult for developers of the modules B and C to read the module a stored in the memory 603. At this time, the read contents are expressed in a machine language executed by the CPU 602, but there is a tool for converting such a machine language into an assembly language. The routine can be analyzed quite easily.
Further, at the stage when the developer develops the program, during the execution of the module a, the developer of the modules B and C may temporarily suspend the execution of the CPU 602 in order to know the processed data of the module a or the content of the module a, thereby knowing the entire processing routine of the program of the module a.
In addition, the application program running on the above-described server processes key data, charging data, log data, and other high-security data set by the service provider, and therefore it is necessary to protect these data from illegal tampering or monitoring.
A first object of the present invention is to provide a data processing method, a semiconductor circuit, and a program capable of efficiently performing processing in accordance with a large number of processing requests.
A second object of the present invention is to provide a data processing method, a semiconductor circuit, and a program that enable a user to generate and customize an application program for the user to be executed by a server without allowing the user to learn highly confidential information.
A third object of the present invention is to provide a data processing method, a semiconductor circuit, and a program capable of preventing each individual application program from being influenced by another application program when the same semiconductor circuit runs several application programs.
It is a fourth object of the present invention to provide a data processing method, a semiconductor circuit, and a program that, when several applications are run by the same semiconductor circuit, allow data to be transferred between the applications as needed while preventing each application from being illegally tampered, monitored, and the like by a user of another application.
A fifth object of the present invention is to provide a data processing method, a semiconductor circuit, an authentication device, and a program capable of restricting the contents of access to a server or other semiconductor circuit in accordance with the authority of the server or other semiconductor circuit.
A sixth object of the present invention is to provide a semiconductor circuit and a data processing method capable of maintaining confidentiality of data even when highly confidential data is transferred between the semiconductor circuit and the semiconductor memory circuit through an external bus.
A seventh object of the present invention is to provide a data processing apparatus capable of maintaining confidentiality of instructions and data between programs when executing a plurality of programs.
An eighth object of the present invention is to provide a semiconductor circuit capable of improving confidentiality of a program to be executed.
A ninth object of the present invention is to provide a data processing apparatus, a method thereof, and a program thereof, which are capable of improving the security of an application program running on a server when providing a service using an IC or other integrated circuit.
Disclosure of Invention
In order to achieve the above object, a data processing method of a first aspect of the present invention is a data processing method executed by a semiconductor circuit according to a plurality of processing requests, comprising the steps of: generating job management data including job execution order data indicating an execution order of jobs forming a process according to the processing request and status data indicating a status of an execution progress of the jobs for each of the processing requests, selecting one job management data from the generated job management data according to a predetermined rule, selecting a job to be executed next according to the status data of the selected job management data and the processing order data, executing the selected job, and updating the status data of the selected job management data according to the execution of the job.
In the data processing method of the first aspect of the present invention, first, the semiconductor circuit generates job management data including job execution order data indicating an execution order of a plurality of jobs forming a process according to the processing requests and status data indicating a status of an execution progress of the plurality of processing jobs for each of the plurality of processing requests.
Next, the semiconductor circuit selects one job management data from the generated plurality of job management data according to a predetermined rule.
Next, the semiconductor circuit selects a job to be executed next based on the status data and the processing sequence data of the selected job management data.
Subsequently, the semiconductor circuit performs the selected operation.
Finally, the semiconductor circuit updates the status data of the selected job management data according to the execution of the job.
Further, the data processing method of the first aspect of the present invention preferably further comprises the step of updating status data of the selected job management data, and then selecting one job management data from the plurality of data modules.
Further, the data processing method of the first aspect of the present invention preferably further includes the step of selecting one job management data from the plurality of data modules after updating the status data of the selected job management data.
Further, the data processing method of the first aspect of the present invention preferably further includes a step of deleting the job management data when all jobs forming the process according to the processing request complete execution.
Further, the data processing method of the first aspect of the present invention preferably further includes a step of receiving a processing request from an integrated circuit having a memory holding data to be used for processing of a process performed by means of the semiconductor circuit or a communication device that inputs and outputs data with respect to the integrated circuit.
A semiconductor circuit of a second aspect of the present invention is a semiconductor circuit which processes data in accordance with a plurality of processing requests, comprising an interface which inputs the plurality of processing requests, a storage circuit which holds job management data including job execution order data indicating an execution order of a plurality of jobs forming a process in accordance with the processing requests and state data indicating a state of progress of execution of the plurality of jobs, and generating job management data for each of the plurality of input processing requests and storing it in the storage circuit, selecting one job management data from the plurality of generated job management data, selects and executes a job to be executed next based on the status data and the processing order data of the selected job management data, and a control circuit for updating the status data of the selected job management data in accordance with the execution of the job.
In the semiconductor circuit of the second aspect of the present invention, the interface inputs a plurality of processing requests.
Subsequently, the control circuit generates job management data including job execution order data indicating an execution order of a plurality of jobs forming a process according to the processing request and state data indicating a state of execution progress of the plurality of jobs according to the plurality of processing requests and saves it in the storage circuit.
Next, the control circuit selects one job management data from among the plurality of job management data.
Thereafter, the control circuit selects and executes a job to be executed next, based on the status data of the selected job management data and the processing order data, and updates the status data of the selected job management data, based on the execution of the job.
A program of a third aspect of the present invention is a program executed by a semiconductor circuit for processing data according to a plurality of processing requests, including a routine for generating job management data for each of the plurality of processing requests, the job management data including job execution order data indicating an execution order of a plurality of jobs forming a process according to the processing request and status data indicating a status of an execution progress of the plurality of jobs, a routine for selecting one job management data from the generated plurality of job management data, a routine for selecting a job to be executed next according to the status data of the selected job management data and the processing order data, a routine for executing the selected job, and a routine for updating the status data of the selected job management data according to the execution of the job.
A data processing method of a fourth aspect of the present invention is a data processing method executed by a semiconductor circuit that runs an application program of a process related to a process using an integrated circuit, wherein the semiconductor circuit is capable of viewing correspondence indicating data indicating correspondence between an operation code for the application program to operate the integrated circuit and a name of the operation, that is, an operation name, the method comprising the steps of: the semiconductor circuit is caused to receive, in an input form, an operation specification program describing an operation of the application program with an operation name, and is caused to obtain an operation code corresponding to the operation name described in the operation specification program by looking at the correspondence indication data, and to define a process of the application program using the obtained operation code.
Further, the data processing method according to the fourth aspect of the present invention preferably further includes causing the correspondence indication data to further display correspondences between operation names and key information used when the integrated circuit performs operations corresponding to the operation names, and causing the semiconductor circuit to obtain the key information corresponding to the operation names described in the operation caption program by looking at the correspondence indication data, and define processing of the application program using the obtained key information.
Further, the data processing method of the fourth aspect of the present invention preferably further comprises causing the semiconductor circuit to generate job management data including job execution order data indicating an execution order of a plurality of jobs forming the processing of the application program and status data indicating a status of progress of the execution of the plurality of jobs, selecting a job to be executed next based on the status data and the processing order data of the job management data, executing the selected job, and updating the status data of the selected job management data based on the execution of the job.
A semiconductor circuit of a fifth aspect of the present invention is a semiconductor circuit that runs an application program for executing a process related to a process using an integrated circuit, including a storage circuit that holds correspondence indication data indicating correspondence between an operation code for the application program to operate the integrated circuit and a name of the operation, that is, an operation name, an interface that inputs an operation specification program describing the operation of the application program with the operation name, and a control circuit that obtains the operation code corresponding to the operation name described in the input operation specification program by looking at the correspondence indication data, and defines the process of the application program using the obtained operation code.
In the semiconductor circuit of the fifth aspect of the present invention, the interface inputs an operation specification program describing an operation of the application program with an operation name.
Subsequently, the control circuit obtains an operation code corresponding to the operation name described in the input operation specification program by looking at the correspondence indication data.
Thereafter, the control circuit defines the processing of the application program using the obtained operation code.
A program of a sixth aspect of the present invention is a program executed by a semiconductor circuit running an application program that executes processing related to a process using an integrated circuit, including: the program includes a routine of inputting an operation specification program describing an operation of an application program with a name of an operation of an integrated circuit, that is, an operation name, a routine of viewing correspondence indication data indicating correspondence between an operation code used by the application program to operate the integrated circuit and the operation name, thereby obtaining an operation code corresponding to the operation name described in the operation specification program, and a routine of defining a process of the application program with the obtained operation code.
A data processing method of a seventh aspect of the present invention is a data processing method performed by a semiconductor circuit that executes an application program, including the steps of: the program module is protected by a firewall assigned in advance to each of the plurality of program modules forming the application among the plurality of firewalls, the program module linked with firewall identification information identifying the firewall assigned to the program module is recorded, and the program module is executed on condition that recording is in progress.
The data processing method of the seventh aspect of the present invention preferably further comprises the step of permitting data transfer or data viewing between the recorded program modules linked by the same firewall identification information, and prohibiting data transfer or data viewing between the recorded program modules linked by different firewall identification information.
The data processing method of the seventh aspect of the present invention preferably further comprises the steps of:
the program module linked with download key information used when downloading the program module from outside the semiconductor circuit to the semiconductor circuit is recorded, and when a download request for the program module is received, whether or not the download is possible is judged using the recorded download key information linked with the program module, and when the download is judged to be possible, the program module is downloaded.
A semiconductor circuit according to an eighth aspect of the present invention is a semiconductor circuit that runs an application, protects a plurality of program modules forming the application by firewalls previously assigned to each of the program modules, records a program module linked with firewall identification information identifying the firewall assigned to the program module, and executes the program module on condition that recording is ongoing.
A program of a ninth aspect of the present invention is a program executed by a semiconductor circuit that executes an application program, including a routine of protecting a plurality of program modules forming the application program with a firewall assigned in advance to each of the program modules, among the plurality of firewalls, recording a program module linked with firewall identification information identifying the firewall assigned to the program module, and a routine of executing the program module on condition that the recording is in progress.
A data processing method of a tenth aspect of the present invention is a data processing method executed by a semiconductor circuit that executes an application program, including the steps of: the method includes executing a plurality of applications protected by a firewall independently, recording in advance a condition for allowing communication between the applications through the firewall, determining whether a communication request satisfies the recorded condition when the application requests communication with another application, and performing communication between the applications according to the communication request when it is determined that the communication request satisfies the recorded condition.
A semiconductor circuit of an eleventh aspect of the present invention is a semiconductor circuit that independently executes a plurality of applications protected by a firewall, records in advance a condition that allows communication between the applications through the firewall, determines whether a communication request satisfies the recorded condition when the application requests communication with another application, and performs communication between the applications according to the communication request when it is determined that the communication request satisfies the recorded condition.
The semiconductor circuit of the eleventh aspect executes a plurality of application programs protected by a firewall independently.
Further, the semiconductor circuit records in advance a condition that allows communication between the applications through the firewall.
Further, when an application requests communication with another application, the semiconductor circuit determines whether the communication request satisfies a condition for recording.
Further, when it is judged that the communication request satisfies the condition for recording, the semiconductor circuit performs communication between the applications according to the communication request.
A program of a twelfth aspect of the present invention is a program that causes a semiconductor circuit to execute a routine that executes a plurality of applications protected by a firewall independently, a routine that records in advance a condition that allows communication between the applications through the firewall, a routine that, when an application requests communication with another application, judges whether or not a communication request satisfies the recorded condition, and a routine that, when judged that the communication request satisfies the recorded condition, performs communication between the applications according to the communication request.
A data processing method of a thirteenth aspect of the present invention is a data processing method by which a semiconductor circuit or a semiconductor memory device accessible to the semiconductor circuit downloads a program running in the semiconductor circuit, including the steps of: the semiconductor circuit is made to have a software structure composed of a plurality of layers, and download signature verification key information corresponding to each layer is made to be able to be viewed by the semiconductor circuit, and when a download request is received, the semiconductor circuit is made to verify download signature information generated according to the download request using the download signature verification key information, and the semiconductor device is made to allow an issuer of the download request to download a program of a layer corresponding to the download signature verification key information used for the verification, on condition that the download signature information is legitimate.
Further, the data processing method of the thirteenth aspect of the present invention further includes the steps of: the method includes causing the authentication device to store access master key information corresponding to a layer to which the program allowed to be downloaded belongs, causing the authentication device to transmit a download request to the semiconductor circuit, and causing the authentication device to generate download signature information using the access master key information and transmit the download signature information to the semiconductor circuit.
Further, the data processing method of the thirteenth aspect of the present invention further includes the steps of: the authentication apparatus is caused to hold identification information of the semiconductor circuit, is caused to encrypt the identification information in plaintext form with access master key information, thereby generating download master key information, and is caused to generate download signature information using the download master key information.
A semiconductor circuit of a fourteenth aspect of the present invention is a semiconductor circuit having a software structure composed of a plurality of layers, wherein the semiconductor circuit is capable of viewing download signature verification key information corresponding to each layer, verifies download signature information generated according to a download request using the download signature verification key information when the download request is received, and allows an issuer of the download request to download a program of a layer corresponding to the download signature verification key information for the verification to the semiconductor circuit or a semiconductor memory circuit accessible to the semiconductor circuit, on condition that the download signature information is legitimate.
When receiving a download request, the semiconductor circuit of the fourteenth aspect of the present invention verifies download signal information generated corresponding to the download request using the download signature verification key information.
Further, the semiconductor circuit allows an issuer of the download request to download a program of a layer corresponding to the download signature verification key information for the verification to the semiconductor circuit or a semiconductor memory circuit accessible to the semiconductor circuit, on condition that the download signature information is legitimate.
An authentication device of a fifteenth aspect of the present invention is an authentication device for authentication when a program running in a semiconductor circuit is downloaded to the semiconductor circuit having a software structure composed of several layers or a semiconductor storage device accessible to the semiconductor circuit, the authentication device holding access master key information corresponding to a layer to which the downloaded program is allowed to belong, transmitting a download request to the semiconductor circuit, and generating download signature information using the access master key information, and transmitting the download signature information to the semiconductor circuit.
The authentication device of the fifteenth aspect of the present invention first transmits a download request to the semiconductor circuit.
Further, the authentication device generates download signature information using the access master key information.
Further, the authentication device transmits the download signature information to the semiconductor circuit.
A program of a sixteenth aspect of the present invention is a program to be executed by a semiconductor circuit having a software structure composed of a plurality of layers, including a routine of verifying download signature information generated in accordance with a download request when such a download request is received, by using download signature verification key information of a corresponding one of the plurality of layers, and a routine of allowing an issuer of the download request to download a program of a layer corresponding to the download signature verification key information for the verification to the semiconductor circuit or a semiconductor memory circuit accessible to the semiconductor circuit, on condition that the download signature information is legitimate.
A semiconductor circuit of a seventeenth aspect of the present invention is a semiconductor circuit having a data processing circuit which inputs and outputs data to and from a bus other than the semiconductor circuit through the data input/output processing circuit, the data input/output circuit encrypting data input from the data processing circuit in units of a predetermined data length and outputting the encrypted data to the bus, decrypting data input from the bus and outputting the decrypted data to the data processing circuit, and when Nc/Nb is n, performing data input/output transaction through the bus in units of m data input/output transactions, where the bus has a width Nb and the data length is Nc and the smallest integer of n or more (n or more) is m.
The semiconductor circuit of the seventeenth aspect of the present invention inputs and outputs data to and from a bus other than the semiconductor circuit through the data input/output processing circuit.
At this time, the data input/output circuit encrypts data input from the data processing circuit in units of a predetermined data length and outputs the encrypted data to the bus.
Further, the data input/output circuit decrypts data input from the bus and outputs the decrypted data to the data processing circuit.
At this time, the data input/output device performs data input/output transaction through an external bus in units of m data input/output transactions, where the width of the bus is Nb and the data length is Nc, and the minimum integer of n or more (n or more) is m, when Nc/Nb is equal to n.
Further, in the semiconductor circuit of the seventeenth aspect of the present invention, when the semiconductor memory circuit is accessed based on the first address input from the data processing circuit, the data input/output circuit preferably converts the first address into the second address to access the semiconductor memory circuit in units of memory areas in which data of Nc is held, and accesses the semiconductor memory circuit using the second address.
A data processing method of an eighteenth aspect of the present invention is a data processing method executed by a semiconductor circuit when the semiconductor circuit accesses the semiconductor memory circuit when the semiconductor circuit and the semiconductor memory circuit are connected through a bus, comprising the steps of: the method includes encrypting data to be written in units of a predetermined data length into a semiconductor memory circuit, outputting the encrypted data to a bus, decrypting the data input from the bus, and performing data input/output transaction through the bus in units of m data input/output transactions when Nc/Nb is n, where the width of the bus is Nb and the data length is Nc, and the minimum integer of n or more (n or more) is m.
A data processing apparatus of a nineteenth aspect of the present invention comprises a storage circuit that stores instructions and data of a plurality of programs, a calculation circuit that accesses the storage circuit through a transmission line and executes the plurality of programs using the instructions and data of the plurality of programs, a connection switching circuit disposed between the transmission line and the storage circuit for setting the transmission line and the storage circuit in one of a connected state and a disconnected state in accordance with a control signal, access range definition data that defines, for each of the plurality of programs, an address range that can be accessed in the storage circuit when the calculation circuit is executing the plurality of programs, an address for which the calculation circuit issues an access request, and execution program instruction information that specifies which of the plurality of programs the calculation circuit is executing, a control signal that generates the connection control circuit that controls the transmission line and the storage circuit to be set in one of the connected state and the disconnected state, and an input/output interface circuit which inputs and outputs data with respect to the calculation circuit through the transmission circuit and externally inputs and outputs data with respect to the data processing apparatus.
Further, in the data processing apparatus of the nineteenth aspect of the present invention, the connection control circuit preferably generates a control signal indicating that the transmission line and the storage circuit are set in the connected state when an address for which the computing circuit issues an access request in the storage circuit is within an address range defined by the access range definition data and corresponding to a program being executed, and generates a control signal indicating that the transmission line and the storage circuit are set in the disconnected state when the address is not within the address range.
A semiconductor circuit according to a twentieth aspect of the present invention is a semiconductor circuit for executing a program, including a first transmission line, a memory circuit for holding instructions or data for executing the program, a calculation circuit operating in accordance with an instruction read from the storage circuit through the first transmission line, a first connection switching circuit setting the first transmission line and the storage circuit to one of a connected state and a disconnected state in accordance with a first control signal, a second connection switching circuit for setting the second transmission line and the first transmission line out of the semiconductor circuit to one of a connected state and a disconnected state in accordance with a second control signal, and outputting a second control signal indicating disconnection to the second connection switching circuit when outputting a first control signal indicating connection to the first connection switching circuit, and a connection control circuit for outputting a second control signal indicating connection to the second connection switching circuit when the first control signal indicating disconnection is output to the first connection switching circuit.
Further, in the semiconductor circuit of the twentieth aspect of the present invention, the second connection switching circuit is connected to a storage device located outside the semiconductor circuit through a second transmission line.
Further, in the semiconductor circuit of the twentieth aspect of the present invention, when the calculation circuit reads an instruction from the storage circuit, the connection control circuit outputs a first control signal indicating connection to the first connection conversion circuit and outputs a second control signal indicating disconnection to the second connection conversion circuit.
A semiconductor circuit according to a twenty-first aspect of the present invention is a semiconductor circuit for executing a program, and includes an encryption/decryption circuit for encrypting data to be output to a storage device via a first transmission line other than the semiconductor circuit, and decrypting the encrypted data or the encrypted command input from the storage device via the first transmission line, a calculation circuit for performing calculation using the decrypted data or the encrypted command, a selection circuit for selecting whether or not to permit communication between a second transmission line other than the semiconductor circuit and the calculation circuit based on a control signal, and a control circuit for outputting the control signal indicating that communication between the second transmission line and the calculation circuit is not permitted to the selection circuit when the calculation circuit is processing using the data or the command of the program.
A data processing apparatus of a twenty-second aspect of the present invention is a data processing apparatus including a memory circuit that holds, in a predetermined memory area, a plurality of application programs each made up of a plurality of data modules including processing routine data describing a processing routine that communicates with an integrated circuit to provide a service, and holds management data representing data modules linked together, first key data for using another data module in processing according to the data module, and second key data for transferring data with respect to the integrated circuit in processing according to the data module, and a semiconductor circuit that performs service-related processing according to the data modules, looks at the management data in the processing, uses another data module with the first key data corresponding to the data module, and communicating data with respect to the integrated circuit using second key data corresponding to the data block.
Further, in the data processing apparatus of the twenty-second aspect of the present invention, the storage circuit preferably stores at least one of log data of processing performed with the data module in the form of a data module, program data of a routine for recording the data module into the storage area, program data of a routine for deleting recording of the data module from the storage area, and program data of a routine for defining the storage area for storing the application program.
Further, in the data processing apparatus according to the twenty-second aspect of the present invention, when the semiconductor circuit is to execute processing according to another data block, the semiconductor circuit preferably obtains first key data corresponding to the predetermined data block and first key data corresponding to the other data block using the management data, and uses the other data block from the predetermined data block being executed on condition that the obtained two first key data coincide.
A data processing method of a twenty-third aspect of the present invention is a data processing method of communicating with an integrated circuit, by which a semiconductor circuit that performs processing of providing a service transmits data with respect to a memory circuit, comprising the steps of: when the memory circuit holds, in a predetermined memory area, application programs each composed of data modules including processing routine data describing a processing routine which communicates with the integrated circuit to provide a service, and data modules showing links together, when first key data for using another data block in the process according to the data block, and management data for second key data for transferring data with respect to the integrated circuit in the process according to the data block, causing the semiconductor circuit to execute a process related to the service in accordance with the data block, causing the semiconductor circuit to view the management data in the process related to the service, and using another data block using the first key data corresponding to the data block, and causing the semiconductor circuit to transmit data with respect to the integrated circuit using the second key data corresponding to the data block in the service-related process.
A program of a twenty-fourth aspect of the present invention is a program executed by a semiconductor circuit for communicating with an integrated circuit to thereby execute processing for providing a service and transferring data with respect to a memory circuit, including a routine for executing processing related to the service according to a data module and viewing management data in the processing related to the service and using another data module with first key data corresponding to the data module when the memory circuit stores, in a predetermined memory area, a plurality of application programs each composed of a plurality of data modules including processing routine data describing a processing routine for communicating with the integrated circuit to thereby provide the service and management data showing second key data linked together for using the other data module in the processing according to the data module and for transferring the data with respect to the integrated circuit in the processing according to the data module, and a routine for transferring data with respect to the integrated circuit using second key data corresponding to the data block in a service-related process.
According to the present invention described above, the following effects can be obtained.
That is, according to the first to third aspects of the present invention, it is possible to provide a data processing method, a semiconductor circuit, and a program which can efficiently perform processing according to a large number of processing requests.
According to the fourth to sixth aspects of the present invention, it is possible to provide a server that enables a user to generate and customize an application program to be executed by the server for the user without informing the user of highly confidential information.
According to the seventh to ninth aspects of the present invention, it is possible to provide a data processing method, a semiconductor circuit, and a program that can prevent each application program from being influenced by another application program when several application programs are run on the same semiconductor circuit.
According to the tenth to twelfth aspects of the present invention, it is possible to provide a data processing method, a semiconductor circuit, and a program which are produced in consideration of the above-described prior art and which, when several applications are run on the same semiconductor circuit, allow data to be transferred between the applications as needed while preventing each application from being subjected to illegal tampering, monitoring, or the like by a user of another application.
According to the thirteenth to sixteenth aspects of the present invention, it is possible to provide a data processing method, a semiconductor circuit, an authentication device, and a program that can restrict access contents to a semiconductor circuit of a server or the like in accordance with its authority.
According to the seventeenth and eighteenth aspects of the present invention, it is possible to provide a semiconductor circuit and a data processing method capable of maintaining confidentiality of data even when highly confidential data is transferred between the semiconductor circuit and the semiconductor memory circuit through an external bus.
According to the nineteenth aspect of the present invention, it is possible to provide a data processing apparatus that can maintain confidentiality of instructions and data between programs when executing a plurality of programs.
According to the twentieth and twenty-first aspects of the present invention, a semiconductor circuit capable of improving the confidentiality of an executed program can be provided.
According to the twenty-second to twenty-fourth aspects of the present invention, it is possible to provide a data processing apparatus, method, and program that can improve the security of an application program running on a server when an IC card or other integrated circuit is used.
Drawings
Fig. 1 is a view of the overall structure of a communication system of one embodiment of the present invention.
Fig. 2 illustrates a software configuration of the SAM chip shown in fig. 1.
Fig. 3 is a functional block diagram of an IC of the IC card shown in fig. 1.
Fig. 4 illustrates information stored in the memory shown in fig. 3.
Fig. 5 illustrates information stored in the external memory of the SAM apparatus shown in fig. 1.
Fig. 6 illustrates the service definition table data shown in fig. 5.
Fig. 7 illustrates a process in the SAM chip using the service definition table data and the script program shown in fig. 5.
FIG. 8 illustrates commands used in a script program.
Fig. 9 is a functional block diagram of the SAM chip shown in fig. 1.
Fig. 10 illustrates data stored in the memory shown in fig. 9.
Fig. 11 illustrates a format of IC card entity data generated by the SAM chip.
Fig. 12 illustrates a state transition diagram of the IC card entity data shown in fig. 11.
Fig. 13 illustrates a processing routine of the IC card process management task shown in fig. 10.
Fig. 14 illustrates the overall operation of the communication system shown in fig. 1.
Fig. 15 illustrates the overall operation of the communication system shown in fig. 1.
Fig. 16 illustrates a communication protocol between the IC card and the SAM chip.
Fig. 17 is a functional block diagram showing functional blocks of the SAM chip shown in fig. 9 in more detail.
Fig. 18 illustrates another usage pattern of the SAM chip.
Fig. 19 is a view of the overall configuration of a communication system of one embodiment of the present invention.
Fig. 20 illustrates a software configuration of the SAM chip shown in fig. 19.
Fig. 21 is a functional block diagram of an IC of the IC card shown in fig. 19.
Fig. 22 illustrates information stored in the memory shown in fig. 21.
Fig. 23 illustrates an external memory of the SAM apparatus shown in fig. 19.
Fig. 24 illustrates a format of the module management data shown in fig. 23.
Fig. 25 is a functional block diagram of the SAM chip shown in fig. 1.
Fig. 26 illustrates tasks performed by the CPU shown in fig. 25.
Fig. 27 is a flowchart illustrating an operation of downloading an application program from a personal computer to the external memory shown in fig. 19.
Fig. 28 is a flowchart illustrating an operation of the SAM chip that executes the application program shown in fig. 19.
Fig. 29 illustrates an operation during execution of an application program.
Fig. 30 illustrates the overall operation of the system shown in fig. 19.
Fig. 31 is a functional block diagram showing functional blocks of the SAM chip shown in fig. 25 in more detail.
Fig. 32 illustrates another usage pattern of the SAM chip.
Fig. 33 illustrates the overall configuration of a communication system of one embodiment of the present invention.
Fig. 34 illustrates a software configuration of the SAM chip shown in fig. 33.
Fig. 35 is a functional block diagram of an IC of the IC card shown in fig. 33.
Fig. 36 illustrates information stored in the memory shown in fig. 35.
Fig. 37 is a view of an external memory of the SAM apparatus shown in fig. 33.
Fig. 38 illustrates the AP selection data shown in fig. 37.
Fig. 39 illustrates inter-AP communication data shown in fig. 37.
Fig. 40 is a functional block diagram of the SAM chip shown in fig. 33.
Fig. 41 illustrates tasks performed by the CPU shown in fig. 40.
Fig. 42 illustrates the function of the settlement processing routine task shown in fig. 41.
Fig. 43 is a flowchart illustrating a process of the inter-AP communication task shown in fig. 41.
Fig. 44 illustrates an inter-SAM communication task shown in fig. 41.
Fig. 45 illustrates the overall operation of the communication system shown in fig. 33.
Fig. 46 is a functional block diagram showing functional blocks of the SAM chip shown in fig. 40 in more detail.
Fig. 47 illustrates another usage pattern of the SAM chip.
Fig. 48 is a view of the overall configuration of a communication system of one embodiment of the present invention.
Fig. 49 illustrates a software configuration of the SAM chip shown in fig. 48.
Fig. 50 is a functional block diagram of an authentication device of an enterprise using the application shown in fig. 48.
Fig. 51 illustrates the function of the mutual authentication means shown in fig. 50.
Fig. 52 illustrates the functions of the download processing apparatus shown in fig. 50.
Fig. 53 is a functional block diagram of an authentication means of a software developer of the handler layer shown in fig. 48.
Fig. 54 illustrates the function of the download processing means shown in fig. 53.
Fig. 55 is a functional block diagram of an authentication apparatus of an administrator of the SAM chip shown in fig. 48.
Fig. 56 illustrates the functions of the download processing apparatus shown in fig. 55.
Fig. 57 illustrates an external memory of the SAM apparatus shown in fig. 48.
Fig. 58 is a functional block diagram of the SAM chip shown in fig. 48.
Fig. 59 is a flowchart illustrating an operation of downloading an application program from a personal computer to the external memory shown in fig. 48.
Fig. 60 illustrates processing of a transaction using the IC card of the communication system shown in fig. 48.
Fig. 61 is a functional block diagram showing functional blocks of the SAM chip shown in fig. 58 in more detail.
Fig. 62 illustrates another usage pattern of the SAM chip.
Fig. 63 illustrates a modification of the communication system shown in fig. 48.
Fig. 64 is a view of the overall configuration of a communication system of one embodiment of the present invention.
Fig. 65 illustrates a software configuration of the SAM chip shown in fig. 64.
Fig. 66 illustrates an external memory of the SAM apparatus shown in fig. 64.
Fig. 67 is a functional block diagram of the SAM chip shown in fig. 64.
Fig. 68 illustrates a relationship among the CPU, the bus scrambling means, and the external memory shown in fig. 66.
Fig. 69 illustrates an address space between the CPU and the external memory shown in fig. 68.
Fig. 70 is a functional block diagram of the bus scrambling device shown in fig. 67.
Fig. 71 illustrates a write operation of an external memory by the bus scrambling device shown in fig. 67.
Fig. 72 is a flowchart of the operation shown in fig. 71.
Fig. 73 illustrates a read operation of an external memory by the bus scrambling device shown in fig. 67.
Fig. 74 is a flowchart of the operation shown in fig. 73.
Fig. 75 illustrates an exchange process of a scrambling key in the scrambling key management apparatus shown in fig. 70.
Fig. 76 illustrates an exchange process of scrambling keys in the scrambling key management apparatus shown in fig. 70.
Fig. 77 illustrates the exchange timing of the scrambling key in the scrambling key management apparatus shown in fig. 70.
Fig. 78 illustrates the exchange timing of the scrambling key in the scrambling key management apparatus shown in fig. 70.
Fig. 79 illustrates pipeline processing performed by the pipeline processing control means shown in fig. 70.
Fig. 80 illustrates the overall operation of the communication system shown in fig. 64.
Fig. 81 is a functional block diagram showing functional blocks of the SAM chip shown in fig. 67 in more detail.
Fig. 82 illustrates another usage pattern of the SAM chip.
Fig. 83 is a functional block diagram of a computer used in electronic settlement constituting the related art of the present invention.
FIG. 84 illustrates the software architecture of the computer of FIG. 83 and one embodiment of the present invention.
Fig. 85 illustrates the type of IC card processed by the computer shown in fig. 83.
Fig. 86 illustrates the memory state of the memory shown in fig. 83 before writing.
Fig. 87 illustrates a storage state of the memory shown in fig. 83 after writing.
Fig. 88 illustrates the correspondence between the application program and the type of IC card shown in fig. 84.
Fig. 89 is a view of the structure of a computer according to an embodiment of the present invention.
Fig. 90 is a structure of the judgment circuit shown in fig. 89.
Fig. 91 is a view of the configuration of the fetch determination circuit shown in fig. 90.
Fig. 92 illustrates the take-out range limiting data shown in fig. 91.
Fig. 93 is a view of fetching inter-AP call relation definition data shown in fig. 91.
Fig. 94 is a view of the structure of the readout judgment circuit shown in fig. 90.
Fig. 95 illustrates the readout range limiting data shown in fig. 94.
Fig. 96 illustrates the read inter-AP call relation definition data shown in fig. 94.
Fig. 97 is a view of the structure of the write judging circuit shown in fig. 90.
Fig. 98 illustrates the write range limitation data shown in fig. 97.
Fig. 99 illustrates the write inter-AP call relation definition data shown in fig. 97.
Fig. 100 illustrates another embodiment of the present invention.
Fig. 101 illustrates another embodiment of the present invention.
Fig. 102 is a structural view of a semiconductor chip of the first embodiment of the present invention.
Fig. 103 illustrates a software configuration of the semiconductor chip shown in fig. 102.
Fig. 104 illustrates the structure of the program module shown in fig. 102.
Fig. 105 is a structural view of a semiconductor chip of the second embodiment of the present invention.
FIG. 106 illustrates the structure of the program module shown in FIG. 105.
Fig. 107 illustrates the encryption and decryption unit and the parity data performed by the encryption/decryption circuit shown in fig. 105.
Fig. 108 illustrates a key information table held by the encryption/decryption circuit shown in fig. 105.
Fig. 109 is a view of the entire structure of the communication system of the present embodiment.
Fig. 110 illustrates another SAM chip with which the SAM chip shown in fig. 109 communicates.
Fig. 111 illustrates another SAM chip with which the SAM chip shown in fig. 109 communicates.
Fig. 112 is a functional block diagram of the IC card shown in fig. 109.
Fig. 113 is a view illustrating the memory shown in fig. 112.
Fig. 114 illustrates a software structure of the SAM chip shown in fig. 109.
Fig. 115 illustrates a storage area of the external memory shown in fig. 109.
Fig. 116 illustrates the application AP shown in fig. 115.
Fig. 117 illustrates the type of application unit data APE shown in fig. 116.
Fig. 118 illustrates a process of the SAM chip shown in fig. 109.
Fig. 119 illustrates a command used in the IC card operation macro command script program shown in fig. 118.
Fig. 120 illustrates the AP management storage area shown in fig. 115.
Fig. 121 illustrates AP management table data shown in fig. 120.
Fig. 122 illustrates a SAM _ ID.
FIG. 123 illustrates the APP table data shown in FIG. 120.
Fig. 124 is a functional block diagram of the SAM chip shown in fig. 109.
FIG. 125 illustrates tasks, programs, and data stored in the memory shown in FIG. 124.
Fig. 126 illustrates the format of the IC card entity data 73_ x.
FIG. 127 illustrates state transitions of the entity state data shown in FIG. 126.
Fig. 128 is a flowchart of processing performed by the IC card process management task.
Fig. 129 illustrates a process performed by the SAM chip when data defined by other application unit data APE is accessed or processed in accordance with the routine defined by the application unit data APE when the job of step ST4 of fig. 128 is executed.
Fig. 130 illustrates a process performed by the SAM chip when accessing or processing data defined by other application unit data APE according to the routine defined by the application unit data APE when executing the job of step ST4 of fig. 128.
Fig. 131 illustrates the overall operation of the communication system shown in fig. 109.
Fig. 132 illustrates the overall operation of the communication system shown in fig. 109.
Fig. 133 is a view illustrating the prior art.
Detailed Description
Embodiments of the present invention will be described below with reference to the accompanying drawings.
First embodiment
The present embodiment is an embodiment corresponding to the first to sixth aspects of the present invention.
Fig. 1 is an overall configuration of a communication system 1 of the present embodiment.
As shown in fig. 1, the communication system 1 communicates through the internet 10 using a server 2, an IC card 3, a reader/writer 4, a personal computer 5, an ASP (application service provider) server 6, and a SAM (secure application module) apparatus 9, and completes a settlement process or a process of other processes with the IC card 3 (an integrated circuit of the present invention).
The SAM device 9 has an external memory 7 and a SAM chip (semiconductor circuit of the present invention) 8.
The SAM chip 8 has a software configuration as shown in fig. 2.
As shown in fig. 2, the SAM chip 8 has, from the bottom layer to the top layer, a HW (hardware) layer, an OS layer, a low-level handler layer, a high-level handler layer, and an AP layer.
The low level handler layer includes a driver layer.
Here, the AP layer includes application programs AP _1, AP _2, and AP _3 that determine a process in which the IC card 3 is used by a credit card company or other enterprises 15_1, 15_2, and 15_3 shown in fig. 1.
In the AP layer, a firewall FW is provided between the application programs AP _1, AP _2, and AP _3 and the high-level handler layer.
The application program AP _1 is determined by service definition table data (correspondence instruction data) 20_1 and a script program (operation description program) 21_1, which are saved in the external memory 7 and described later.
The application program AP _2 is determined by service definition table data (correspondence instruction data) 20_2 and a script program (operation description program) 21_2, which are stored in the external memory 7 and described later.
The application program AP _3 is determined by service definition table data (correspondence instruction data) 20_3 and a script program (operation description program) 21_3, which are stored in the external memory 7 and described later.
The SAM chip 8 is connected to the ASP server 6 through a SCSI port, ethernet, or the like. The ASP server 6 is connected to several terminal devices via the internet 10, including the personal computer 5 of the end user and the personal computers 16_1, 16_2 and 16_3 of the enterprises 15_1, 15_2 and 15_ 3.
The personal computer 5 is connected to the Dumb type reader/writer 4 through a serial port or a USB port. The reader/writer 4 realizes physical wireless communication with the IC card 3.
An operation command sent to the IC card 3 is generated on the SAM device 9 side and a response packet from the IC card 3 is analyzed. Thus, the reader/writer 4, the personal computer 5, and the ASP server 6 interposed therebetween function only to save the command or response contents in the data payload section and relay the data payload section. They do not participate in encryption or decryption of data, authentication, and other actual operations in the IC card 3.
The personal computers 16_1, 16_2, and 16_3 can download a script program, which will be described later, onto the SAM chip, thereby customizing their application programs AP _1, AP _2, and AP _ 3.
The components shown in fig. 1 are explained below.
[ IC card 3]
Fig. 3 is a functional block diagram of the IC card 3.
As shown in fig. 3, the IC card 3 has an IC (integrated circuit) 3a configured with a memory 50 and a processor 51.
As shown in FIG. 4, memory 50 has a memory area 55_1 used by the credit card company or other enterprise 15_1, a memory area 55_2 used by enterprise 15_2, and a memory area 55_3 used by enterprise 15_ 3.
Further, the memory 50 holds key information for judging access authority to the storage area 55_1, key information for judging access authority to the storage area 55_2, and key information for judging access authority to the storage area 55_ 3. The key information is used for mutual authentication, encryption and decryption of data, and the like.
Further, the memory 50 holds the IC card 3 or identification information of the user of the IC card 3.
The SAM device 9 will be described in more detail below.
[ external memory 7]
Fig. 5 illustrates data and programs stored in the external memory 7 shown in fig. 1.
As shown in fig. 5, the external memory 7 holds service definition table data 20_1 and an IC card operation macro command script program 21_1 of the enterprise 15_ 1.
Further, the external memory 7 holds service definition table data 20_2 of the enterprise 15_2 and an IC card operation macro command script program 21_ 2.
Further, the external memory 7 holds service definition table data 20_3 of the enterprise 15_3 and an IC card operation macro command script program 21_ 3.
The service definition table data 20_1, 20_2, and 20_3 have the same format.
Further, the IC card operation macro command script programs 21_1, 21_2, and 21_3 are written with a common macro command.
Further, the service definition table data 20_1, 20_2, and 20_3 and the IC card operation macro command script programs 21_1, 21_2, and 21_3 are stored in the external memory 7 by being encrypted-coded. The encrypted and encoded data and program are decrypted in the SAM chip 8.
In the present embodiment, script programs 21_1, 21_2, and 21_3 are generated by enterprises 15_1, 15_2, and 15_3 using personal computers 16_1, 16_2, and 16_3 shown in fig. 1, and are downloaded to the external memory 7 through the SAM chip 8.
Further, the manager of the SAM chip 9 generates the service definition table data 20_1, 20_2, and 20_3 according to the instructions of the enterprises 15_1, 15_2, and 15_ 3.
Fig. 6 illustrates the service definition table data 20_ 1.
As shown in fig. 6, the service definition table data 20_1 has a service type unit (operation name), an address, a service number (operation code), key version information, and key information.
The "service type unit" indicates a name assigned to a service provided by an application of the enterprise 15_ 1. The service type unit is a check identifier, not a service number of a service that can be used by the application of the enterprise 15_ 1.
In the present embodiment, "Rc", "Rd", "Wd", and "Wc" are used as service type elements corresponding to the service definition table data 20_1 of the enterprise 15_1 as shown in fig. 6.
In the present embodiment, the IC card operation macro command script program 21_1 determines the service contents of combining several service type units and reflects this in IC card entity data (job management data) described later, so that the service combination service corresponding to several service type units can be provided.
For example, a service for combining a service for reading data from the IC card 3 and a service for writing data in the server 2 may be determined in the IC card entity data.
The service number in the service definition table data 20_1 is an operation command issued to the IC card 3 and analyzable by the IC card 3 when executing a service provided by the enterprise 15_ 1.
The "address" in the service definition table data 20_1 indicates an address to hold data related to a procedure relating to a corresponding service type unit.
The "key version information" in the service definition table data 20_1 indicates the version of the key used when the service is provided.
The "key information" in the service definition table data 20_1 is key information used when the service is provided.
For example, key information used when accessing the storage area 55_1 of the IC 3a of the IC card 3 shown in fig. 3, the service definition table data 20_1 is set.
Further, in the service definition table data 20_2, key information used when accessing the storage area 55_2 of the IC 3a is set.
Further, in the service definition table data 20_3, key information used when accessing the storage area 55_3 of the IC 3a is set.
The IC card operation macro command script program 21_1 will be explained below.
The script program 21_1 is a program for determining an application program of the enterprise 15_1 running on the SAM chip and a processing procedure performed by the IC card 3 when executing the application program.
In the present embodiment, as will be described later, as shown in fig. 7, the SAM chip 8 generates IC card entity template data 30_1, an input data block 31_ x1, an output data block 32_ x2, log data 33_ x3, and a calculation definition data block 34_ x4 for a process related to the enterprise 15_1 using the service definition table data 20_1 and the script program 21_ 1.
Fig. 8 illustrates commands for describing the IC card operation macro command script programs 21_1, 21_2, and 21_ 3.
As for the command, a command regarding the SAM chip 8 itself is given the initial "S", and a command related to the operation of the IC card 3 is given the initial "C".
In addition, the second letter is selectively used according to the application. For example, the second letter is "I" for the issuer who sets the description of the IC card 3, "S" for the service type unit description, "R" for reading the description from the IC card 3, "W" for writing the description into the IC card 3, and "F" for the definition of service type calculation.
The commands for describing the script programs 21_1, 21_2, and 21_3 include an SC command, an SO command, an SI command, an SL command, an SF command, a CI command, a CS command, a CR command, and a CW command.
The SC command is a command that specifies the maximum number of IC card entity data that can be simultaneously processed by the SAM chip 8.
For example, when the SAM chip 8 can process 1000 IC card entity data at the same time, the description "SC: 1000".
The SO command is a command explaining that, when processing is performed with the IC card 3 based on IC card entity data described later, a data block in which the output data block 32_ x2 of data read from the IC card 3 is held is constituted among data blocks generated in the SAM chip 8.
For example, when the data blocks 1 to 10 are formed, when the data read from the IC card 3 is saved in the data block 1, "SO: 1".
The SI command is a command explaining that, when processing is performed with the IC card 3 based on IC card entity data described later, a data block in which the input data block 31_ x1 of data to be written in the IC card 3 is held is constituted among data blocks formed in the SAM chip 8.
For example, when forming the data blocks 1 to 10, when saving data to be written to the IC card 3 into the data blocks 2, 3, the description "SI: 2,3".
The SL command is a command explaining a data block constituting a log data block 33_ x3 for saving log data relating to an operation among data blocks formed in the SAM chip 8 when processing is performed with the IC card 3 based on IC card entity data described later.
For example, when forming data blocks 1-10, when saving log data into data block 4, a description is made of "SL: 4".
The SF command is a command to provide data blocks forming the calculation definition data block 34_ x4, and the calculation definition data block 34_ x4 illustrates a definition of the relationship between service type units relating to the IC card 3.
The contents 34_ x4 of the calculation definition data block become preprocessing information of the IC card entity data.
The CI command is a command that explains an issuer (enterprise) of the IC card 3.
The information specifying the business defined by the CI command becomes IC card type information of the IC card entity data.
The CS command is a command explaining simultaneous operation of several services to the IC card 3 by referring to the service type unit.
For example, it may say "CS: "Rc" + "Wc" + "Wd" ".
Service type unit specifying information and processing order information of the IC card entity data are determined according to the contents of the CS command.
The CR command explains that when the relationship between the service type units is uncertain (when the SF command is not described), the data read from the IC card 3 is saved into a specified data block.
For example, when data read from the IC card 3 is saved in the data block 1, "CR: SO: 1 ═ Rc "".
The CW command explains that the data stored in the specified data block is written in the IC card 3 when the relationship between the service type units is uncertain.
For example, when data stored in the data block 2 is written in the IC card 3, "CW: and (3) SI: 2 ═ Wc "".
The CF command specification describes a data block of a computational content generation (rendering) service.
For example, when the calculation content generation service is described in SF data block 1, "CF: CES _ FUNC ═ SF: 1".
Further, SF data block 1 describes, for example, "" "", "(Wc" > 10) "then" "(Wc" -10; "(Wd" "," "Wc" × 0.08+ "Wd") ". The formula represents an operation of subtracting 10 from the value of Wc and adding several points corresponding to Wc of 8% as the accumulated points to Wd when the remaining number Wc of services is greater than 10.
[ SAM chip 8]
Fig. 9 is a functional block diagram of the SAM chip shown in fig. 1.
As shown in fig. 9, the SAM chip 8 has an ASPS communication interface means 60, an external memory communication interface means 61, a bus scramble means 62, a random number generator 63, an encryption/decryption means 64, a memory 65, and a CPU 66.
The SAM chip 8 is a tamper-proof module.
The ASPS communication interface means 60 is an interface for data input and output with the ASP server 6 shown in fig. 1.
The external memory communication interface device 61 is an interface for data input and output with the external memory 7.
When data is input and output through the external memory communication interface device 61, the bus scrambling device 62 encodes and encrypts the output data and decrypts the input data.
The random number generator 63 generates a random number used in the authentication process.
The encryption/decryption device 64 encrypts data and decrypts encrypted data.
As will be described later, the memory 65 stores tasks, programs, and data used by the CPU 66.
The CPU 66 executes a script download task, a script interpretation task, an entity generation task (job management data generation task), and an IC card process management task (job management data management task) described later, as well as other tasks, according to a predetermined program (the program of the present invention).
The following describes tasks, programs, and data stored in the memory 65.
Fig. 10 illustrates the tasks stored in the memory 65. Programs and data.
As shown in fig. 10, the memory 65 holds a script download task 69, a script interpretation task 70, an entity generation task 71, an IC card process management task 72, IC card operation macro-command script programs 21_1 to 21_3, service definition tables 20_1 to 20_3, IC card entity template data 30_1 to 30_3, IC card entity data 73_ x, an input data block 31_ x1, an output data block 32_ x2, a log data block 33_ x3, and a calculation definition data block 34_ x 4.
As shown in fig. 7, the script download task 69 downloads the service definition table data 20_1 to 20_3 from the computer of the enterprise and loads them into the SAM chip 8.
The script interpretation task 70 generates IC card entity template data, input data blocks, output data blocks, log data blocks, and calculation definition data blocks of each enterprise using the service definition table data and the script program.
The number of data blocks generated for each enterprise is not particularly limited.
When the entity generation task 71 receives the entity generation request from the ASP server 6, it performs polling with respect to the IC card 3, and then generates IC card entity data for processing of a process between the IC card 3 and the business using IC card entity template data corresponding to the business. At this time, the IC card entity template data becomes a category, and the IC card entity data is generated in the form of an example of the category.
The process of the entity generating task 71 to generate the IC card entity data will be described later in detail.
The IC card process management task 72 performs the processing of the process between the IC card 3 and the enterprises 15_1 to 15_3 using one or more IC card entity data 73_ x existing in the memory 65.
In the present embodiment, several processes of the process performed between several IC cards 3 and the enterprises 15_1_15_3 are performed simultaneously.
The IC card process management task 72 performs several processes of a plurality of processes in parallel.
When the series of processes is completed, the IC card process management task 72 deletes the IC card entity data 73_ x.
The processing of the IC card process management task 72 will be described later in detail.
The script program 21_1_21_3 is input from the external memory 7 to the memory 65 by the script download task 69.
The service definition table data 20_1-20_3 is input from the external memory 7 by the script download task 69 and saved in the memory 65.
The IC card entity template data 30_1 to 30_3 are generated by the script interpretation task 70 and used as templates (categories) when generating the IC card entity data 73_ x of the processes relating to the respective businesses.
The entity generating task 71 generates the IC card entity data 73_ x in the form of one example of a category by using the IC card entity template data 30_1-3_03 as the category.
The input data block 31_ x1, the output data block 32_ x2, the log data block 33_ x3, and the calculation definition data block 34_ x4 are generated by the script interpretation task 70.
The IC card entity data 73_ x is explained below.
When the SAM chip 8 receives a processing request from the ASP server 6 for processing using the IC card 3 and an application of a predetermined business, IC card entity data 73_ x is generated by using the IC card entity template data of the corresponding business in the SAM chip 8, which has been generated by the entity generating task 71.
Fig. 11 illustrates the format of the IC card entity data 73_ x.
As shown in fig. 11, the IC card entity data 73_ x has management pointer information 80, entity ID information 81, entity status information (status data) 82, IC card type information 83, service type unit specifying information 84, processing order information (processing order data) 85, pre-processing information 86, and post-processing information 87.
The management pointer information 80 is a bidirectional pointer for managing the IC card entity data 73_ x in the memory 65.
The entity ID information 81 is used for generation of the IC card entity data 73_ x, confirmation of the progress status, deletion, or request of the remaining series of processes using the IC card entity data 73_ x. The entity ID information 81 also becomes a return value given to the end user. The entity ID information 81 corresponds to a descriptor when a file is opened in a general file system.
The entity state information 82 indicates the state of progress of the process related to the IC card 3.
As shown in fig. 12, the basic state of the IC card entity data 73_ x includes a state (RS) of a process of investigating a service that the IC card 3 can use, a state (a1) of a process by which the SAM chip 8 verifies the IC card 3, a state (a2) of a process by which the IC card 3 verifies the SAM chip 8, a state (R) of a process of reading data from the IC card 3, and a state (W) of a process of writing data to the IC card 3.
In the present embodiment, the process of investigating the enterprise, the process of verifying the IC card 3 by the SAM chip 8, the process of verifying the SAM chip 8 by the IC card 3, the process of reading data from the IC card 3, and the process of writing data into the IC card 3 correspond to the job.
As described later, the "job" is a processing unit for which the IC card process management task 72 determines the execution order.
Note that a1 and a2 constitute mutual authentication processing between the IC card 3 and the SAM chip 8.
Further, in the present embodiment, in consideration of the communication time on the internet 10, as shown in the state transition diagram of fig. 12, the above-mentioned basic state is divided into a post-startup (after issuing a command) state and a completion (after receiving a response) state.
Specifically, the state of processing using the IC card entity data 73_ x is managed by an instance generation (IC card entity data generation) state, an RS post-startup state, an RS completion state, an a1 post-startup state, an a1 completion state, an a2 post-startup state, an a2 completion state, an R post-startup state, an R completion state, a W post-startup state, a W completion state, and an instance (IC card entity data) deletion state.
The IC card type information 83 is information for determining a company that issues the IC card 3.
In generating the IC card entity data 73_ x, the IC card type information 83 is set using information determined by the CI command in the script program mentioned above.
The service type unit specification information 84 indicates the service type unit of the service defined in the service definition table data used in the processing using the IC card entity data 73_ x.
In generating the IC card entity data 73_ x, the service type unit specifying information 84 is set with one or more service type units specified by the CS command in the script program mentioned above.
The processing order information 85 indicates the execution order of services (jobs) used in utilizing the IC card entity data 73_ x, i.e., the state transition shown in fig. 12.
That is, the processing order information 85 indicates the execution order of the jobs corresponding to the basic operation of the IC card 3 using the service type unit.
Here, as described later, the jobs correspond to RS, a1, a2, R, and W shown in fig. 12. The specific operation on the IC card 3 is realized by the processing sequence specified by the job. For example, for the process of using the IC card 3 in the case where there is only reading without mutual authentication, the processing order information 85 is set with "RS → R". Further, in the case of performing reading and writing of mutual authentication, the processing order information 85 is set with "RS → a1 → a2 → R → W".
When the IC card entity data 73_ x is generated, the processing order information 85 is set with the job order shown in fig. 12 corresponding to the order of the service units specified in the CS command in the script program mentioned above.
The pre-processing information 86 is set from the ASP server 6 side with management data for performing use of the IC card entity data 73_ x.
For example, the preprocessing information 86 is set with the number of points of the calculation formula of the service specified in the SF data block.
Further, when the inter-service calculation function is not defined, the preprocessing information 86 is set with the requested processing charge (charge).
For example, in the case of settlement, a state relating to the amount of charge or points to be given is set.
The post-processing information 87 is set using the data of the processing result of the IC card entity data 73_ x required on the ASP server 6 side. For example, in the case of settlement, post-processing information 87 is set using data indicating that settlement is normally ended.
A routine of processing by the IC card process management task 72 shown in fig. 10 in relation to the several IC cards 3 using the several IC card entity data 73_ x will be explained.
The IC card process management task 72 is continuously started on the CPU 66 of the SAM chip 8 shown in fig. 9.
Fig. 13 is a flowchart of processing performed by the IC card process management task 72.
Step ST 1:
the IC card process management task 72 selects one IC card entity data 73_ x from among several IC card entity data 73_ x existing in the memory 65 for performing the next process.
The method of selecting the IC card entity data 73_ x may be to sequentially select the IC card entity data 73_ x existing in the memory 65, or to assign a priority order and select according to the priority in the order of the highest priority.
Step ST 2:
the IC card process management task 72 determines whether the job of the IC card entity data 73_ x selected at step ST1 has been started. When it is judged that the job has been started, it proceeds to the process of step ST5, and when it is judged that the job has not been started, it proceeds to the process of step ST 3.
Step ST 3:
the IC card process management task 72 judges in which state in the state transition diagram shown in fig. 12 the processing related to the entity data 73_ x is based on the entity state information 82 shown in fig. 11 of the IC card entity data 73_ x selected at step ST1, and determines the job to be executed next based on the processing sequence information 85.
At this time, the processing order information 85 determines the execution order of the jobs using the service unit set in the service definition table data as described above.
Step ST 4:
the IC card process management task 72 starts the job selected at step ST 3.
The IC card process management task 72 executes the job using the data block related to the job among the above-mentioned input data block 31_ x1, output data block 32_ x2, log data block 33_ x3, and calculation definition data block 34_ x 4.
At this time, when a command is issued to the IC card 3 executing the job, the IC card process management task 72 uses the service unit corresponding to the job as search service definition table data, thereby obtaining a key of the service number corresponding to the service unit (the operation command of the IC card 3 can be analyzed by the IC card 3). Further, the IC card process management task 72 issues a command to the IC card 3 using the obtained service number.
Further, as explained with fig. 4, when key information is required for accessing the storage area of the IC card 3a, the IC card process management task 72 searches the service definition table data using the service unit corresponding to the job, and obtains the key information corresponding to the service unit. Further, the IC card process management task 72 uses the key information to complete mutual authentication with the IC card 3, encryption and decryption of data, and other processes, and obtains authority to access a predetermined storage area of the IC card 3.
Step ST 5:
when the IC card process management task 72 issues a command to the IC card 3 and is waiting for the processing result of the IC card 3, step ST5 is executed.
When the IC card process management task 72 receives the processing result from the IC card 3, it places the result in the IC card entity data 73_ x.
Step ST 6:
The IC card process management task 72 updates the entity status information of the IC card entity data 73_ x shown in fig. 11.
In this way, in the present embodiment, the IC card process management task 72 performs the processing of several IC cards 3 existing in the SAM chip 8 in parallel while selecting the IC card entity data 73_ x of several IC cards 3 in order. Thus, even when a processing request of a process using several IC cards 3 is received, the SAM chip 8 can continue the processing at the same time.
All operations of the communication system shown in fig. 1 will be described below.
Fig. 14 and 15 illustrate all operations of the communication system 1 shown in fig. 1.
Step ST 21:
the enterprises 15_1 to 15_3 or a party requested by these enterprises generate script programs 21_1, 21_2, and 21_3 describing the processing of transactions by the enterprises using the IC card 3 on the personal computers 16_1, 16_2, and 16_3 shown in fig. 1.
Further, the manager of the SAM chip 8 generates service definition table data 20_1, 20_2, and 20_3 corresponding to the enterprises 15_1 to 15_ 3.
Step ST 22:
the service definition table data 20_1, 20_2, and 20_3 generated in step ST21 are saved in the external memory 7.
Further, the script programs 21_1, 21_2, and 21_3 generated at step ST21 are downloaded from the personal computers 16_1, 16_2, and 16_3 to the external memory 7 through the internet 10, the ASP server 6, and the SAM chip 8. As shown in fig. 7, this download process is managed by a script download task 69 in the SAM chip 8.
Step ST 23:
the script interpretation task 70 in the SAM chip shown in fig. 7 generates IC card entity template data, input data block, output data block, log data block, and calculation definition data block for each enterprise using the service definition table data and the script program.
The generated data is stored in the memory 65 of the SAM chip 8 shown in fig. 9.
Step ST 24:
the user is issued to the IC card 3.
As shown in fig. 4, the memory 50 of the IC 3a of the IC card 3 holds key information for transactions agreed upon by the user and the enterprise.
Note that after the IC card 3 is issued, the user and the enterprise can also contract with each other through the internet 10 or the like.
Step ST 25:
for example, when a user attempts to purchase a product by accessing the server 2 via the internet 10 using the personal computer 5, the server 2 issues a processing request to the ASP server 6 via the internet 10.
When the ASP server 6 receives a processing request from the server 2, it accesses the personal computer 5 through the internet 10. Further, as shown in fig. 16A, the processing request issued by the reader/writer 4 of the IC card 3 is transmitted to the SAM chip 8 through the personal computer 5, the internet 10, and the ASP server 6.
Step ST 26:
the ASP server 6 outputs an entity generation request to the SAM chip 8.
The entity generates a request to save information showing the issuer of the IC card 3.
Step S27:
when the SAM chip 8 receives the entity generation request, it performs polling for the IC card 3 as shown in fig. 16B.
Step ST 28:
after the polling ends, the entity generation task 71 of the SAM chip 8 judges whether the number of IC card entity data 73_ x existing in the SAM chip 8 is within the maximum number determined by the SC command of the script program. If it is within the maximum number, it goes to the processing of step ST29, and if it is not within the maximum number, the processing is ended.
Step ST 29:
the entity generation task 71 specifies which company's IC card entity template data is to be used, based on the information of the issuer of the display IC card 3 held in the entity generation request, and generates IC card entity data 73_ x using the specified IC card entity template data.
This corresponds to the example generation shown in fig. 12.
Step ST 30:
the SAM chip 8 outputs the entity ID of the IC card entity data 73_ x generated at step ST29 to the ASP server 6.
Step ST 31:
the IC card process management task 72 of the SAM chip 8 investigates the services that the IC card 3 can use.
This is processing corresponding to the job RS shown in fig. 12.
Step ST 32:
The IC card process management task 72 of the SAM chip 8 verifies the validity of the IC card 3.
This is processing corresponding to job a1 shown in fig. 12.
Step ST 33:
the IC card 3 verifies the validity of the SAM chip 8.
This is processing corresponding to job a2 shown in fig. 12.
By steps ST32 and ST33, the IC card 3 and the SAM chip 8 authenticate each other. This corresponds to fig. 16C.
Step ST 34:
the IC card process management task 72 of the SAM chip 8 reads and writes data necessary for the process on the IC card 3.
This is processing corresponding to the jobs R and W shown in fig. 12 and fig. 16D and 16E.
Further, the IC card process management task 72 performs predetermined calculation processing using data read from the IC card 3 using a calculation formula specified from the preprocessing information of the IC card entity data 73_ x.
Step ST 35:
as shown in fig. 16F, the IC card process management task 72 of the SAM chip 8 outputs the processing result of step ST34 to the ASP server 6.
Step ST 36:
for example, the IC card process management task 72 deletes the IC card entity data 73_ x.
As described above, according to the communication system 1, it is possible to generate the IC card entity data 73_ x for each process of the process that occurs together with the IC card, and to cause the IC card process management task 72 to use the several IC card entity data 73_ x while continuing the process on the several IC cards 3.
Further, according to the authentication system 1, since it is sufficient to save the IC card entity data 73_3 actually used for the processing of the IC card 3 into the memory 65, the memory area of the memory 65 can be effectively used.
In addition, according to the authentication system 1, as shown in fig. 12, since the execution state of the job processed by the IC card process management task 72 is divided into the post-start state and the completion state, after starting execution of one job, it is possible to start processing of another job in a state of waiting for data from the IC card 3. Thus, the waiting time caused by data transfer with the IC card 3 via the internet 10 can be eliminated.
Further, according to the authentication system 1, the service definition table data describes names representing types of services provided by respective enterprises, i.e., service type units, the numbers of services used in the IC card 3, and key information used when providing the services. This is stored in the external memory 7. Thus, enterprises 15_1 to 15_3 that are not developers of SAM chip 8 can generate their own applications running on SAM chip 8 by means of script programs 21_1, 21_2, and 21_3 and download these applications to external memory 7 through SAM chip 8 for customization. That is, enterprises 15_1 to 15_3 can customize their own applications without informing them of key information, an operation command for directly operating the IC card 3, or other highly confidential information. In addition, when the enterprise customizes its application, it does not need to know key information or card operation commands, thereby relieving the enterprise of burden.
Further, according to the authentication system 1, since the calculation contents of generating several services can be defined, it is possible to provide different services combining several services in a large number of services approved to be executed simultaneously on the IC card 3 side.
Further, according to the authentication system 1, by introducing the concept of data block, data input and data output with respect to the IC card 3 and log data can be easily managed.
Fig. 17 is a functional block diagram showing functional blocks of the SAM chip 8 shown in fig. 9 in more detail.
As shown in fig. 9, the SAM chip 8 communicates with the ASPS communication interface means 60, the external memory communication interface means 61, the bus scramble means 62, the random number generator 63, the encryption/decryption means 64, the memory 65, and the CPU66 through the internal bus 90.
In the SAM chip 8 shown in fig. 17, as shown in fig. 18, it is also possible to connect a card I/F device 91 connected to the internal bus 90 to an RF receiving/transmitting device 92 outside the chip 8 and to transmit data with the IC card 3 by means of a contactless system through an antenna 92a of the RF receiving/transmitting device 92.
Second embodiment
The present embodiment is an embodiment corresponding to the seventh to ninth aspects of the present invention.
Fig. 19 is a schematic diagram of the overall configuration of the communication system 101 of the present embodiment.
As shown in fig. 19, the communication system 101 communicates through the internet 10 using a server 102, an IC card 103 (integrated circuit of the present invention), a reader/writer 104, a personal computer 105, an ASP (application service provider) server 106, a SAM (secure application module) apparatus 109, personal computers 116_1, 116_2, and 116_3, and authentication apparatuses 117_1, 117_2, and 117_3, and performs settlement processing of a process using the IC card 103 or other processing.
The SAM device 109 has an external memory 107 (semiconductor memory circuit of the present invention) and a SAM chip 108 (semiconductor circuit of the present invention).
The SAM chip 108 has a software configuration shown in fig. 20.
As shown in fig. 20, the SAM chip 108 has, from the bottom layer to the top layer, a HW (hardware) layer, an OS layer, a low-level handler layer, a high-level handler layer, and an AP layer.
The low level handler layer includes a driver layer.
Here, the AP layer includes application programs AP _1, AP _2, and AP _3 that determine a process in which the IC card 103 is used by a credit card company or other enterprises 115_1, 115_2, and 115_3 shown in fig. 19.
In the AP layer, a firewall FW (firewall of the present invention) is provided between the application programs AP _1, AP _2, and AP _3 and the high-level handler layer.
The SAM chip 108 is connected to the ASP server 106 through a SCSI port, ethernet, or the like. The ASP server 106 is connected to several terminal devices through the internet 110, including the personal computer 105 of the end user and the personal computers 116_1, 116_2, and 116_3 of the enterprises 115_1, 115_2, and 115_ 3.
The personal computer 105 is connected to the Dumb type reader/writer 104 through a serial port or a USB port. The reader/writer 104 realizes physical wireless communication with the IC card 103.
An operation command sent to the IC card 103 is generated on the SAM apparatus 109 side and a response packet from the IC card 103 is analyzed. Thus, the reader/writer 104, the personal computer 105, and the ASP server 106 therebetween function only to save the command or response contents in the data payload section and relay the data payload section, and they do not participate in encryption or decryption of data, authentication, and other actual operations in the IC card 103.
The enterprises 115_1, 115_2, and 115_3 generate the application programs AP _1, AP _2, and AP _3 using their personal computers 116_1, 116_2, and 116_3, and download the generated application programs into a predetermined storage area in the external memory 107 through the SAM chip 108 by authenticating the devices 117_1, 117_2, and 117_ 3.
At this time, since the enterprises 115_1, 115_2, and 115_3 are independent of each other, the SAM chip 108 determines in advance the storage areas in the external memory 107 to which the application programs AP _1, AP _2, and AP _3 can be downloaded, and verifies whether there is a right to download to such storage areas.
Further, the firewall FW restricts data transfer and viewing between the applications AP _1, AP _2, and AP _3 while the applications AP _1, AP _2, and AP _3 are being executed.
When the application programs AP _1, AP _2, and AP _3 are downloaded to the SAM chip 108, as will be described later, the authentication means 117_1, 117_2, and 117_3 perform mutual authentication with the SAM chip 108, generate downloaded signature authentication key information, and the like.
The components shown in fig. 19 are explained below.
[ IC card 103]
Fig. 21 is a functional block diagram of the IC card 103.
As shown in fig. 21, the IC card 103 has an IC (integrated circuit) 103a provided with a memory 150 and a processor 151.
As shown in FIG. 22, memory 150 has a storage area 155_1 used by credit card company or other enterprise 115_1, a storage area 155_2 used by enterprise 115_2, and a storage area 155_3 used by enterprise 115_ 3.
Further, the memory 150 holds key information for judging the presence of authority to the storage area 155_1, key information for judging access authority to the storage area 155_2, and key information for judging access authority to the storage area 155_ 3. The key information is dedicated to mutual authentication, encryption and decryption of data, and the like.
Further, the memory 150 holds the IC card 103 or identification information of the user of the IC card 103.
The SAM apparatus 109 will be described in more detail below.
[ external memory 107]
Fig. 23 illustrates the storage area of the external memory 107.
As shown in fig. 23, the storage areas of the external memory 107 include an AP storage area 120_1 that stores the application program AP _1 of the enterprise 115_1, an AP storage area 120_2 that stores the application program AP _2 of the enterprise 115_2, an AP storage area 120_3 that stores the application program AP _3 of the enterprise 115_3, an AP management storage area 121 used by a manager of the SAM chip 108, and a key information storage area 122.
The application program AP _1 stored in the AP memory area 120_1 is composed of several program modules. Access to the AP storage area 120_1 is limited by a firewall FW _ 1.
The application program AP _2 stored in the AP memory area 120_2 is composed of several program modules. Access to the AP storage area 120_2 is limited by a firewall FW _ 2.
The application program AP _3 stored in the AP memory area 120_3 is composed of several program modules. Access to the AP storage area 120_3 is limited by a firewall FW _ 3.
In the present embodiment, the above program module is the smallest unit downloaded to the external memory 107 from outside the SAM apparatus 109. The number of program modules constituting each application program can be freely determined by the corresponding enterprise.
Further, the application programs AP _1, AP _2, and AP _3 saved in the external memory 107 are encrypted and encoded. When read into the SAM chip 108, the applications are unencrypted.
Further, the application programs AP _1, AP _2, and AP _3 are generated by the enterprises 115_1, 115_2, and 115_3 using the personal computers 116_1, 116_2, and 116_3 shown in fig. 19, and are downloaded to the external memory 107 through the SAM chip 108.
Access to the AP management storage area 121 is restricted by the firewall FW _ 4.
Note that the firewalls FW _1, FW _2, FW _3 and FW _4 correspond to the firewalls FW shown in fig. 20.
The AP management memory area 121 holds module management data 130 shown in fig. 24.
The module management data 130 records in advance the module names and download signature verification key information (download key information of the present invention) of the program modules downloaded from the personal computers 116_1, 116_2, and 116_ 3.
That is, the download of the program module is permitted on condition that the module management data 130 having the download signature verification key information recorded in advance therein.
Further, the module management data 130 records therein the module name and execution signature verification key information of the program module executed by the SAM chip 108.
That is, the authority to execute the program module by the SAM chip 108 is obtained on condition that the module management data 130 having the execution signature verification key information recorded therein in advance.
As shown in fig. 24, the module management data 130 indicates the consistency of the firewall number (firewall identification information of the present invention) of the firewall restricting access to the program module, the start address, the address length, the download signature verification key information, the execution signature verification key information, and the module name of each program module of the application programs AP _1, AP _2, and AP _3 stored in the AP memory areas 120_1, 120_2, and 120_ 3.
Here, the firewall number denotes the number of a firewall that prevents access to the program module.
The start address indicates the start address of the storage area that the firewall restricts access to.
The address length indicates the address length of the storage area that the firewall limits access to.
The download signature verification key information is key information for signature verification performed when the program module is downloaded to the external memory 107 through the SAM chip 108.
The execution signature verification key information is used to verify signature information given to the program module when the SAM chip 108 executes the program module. For example, in the present embodiment, each program module is given signature information for proving its legitimacy. When the program module has been illegally modified or tampered with, the signature information can be verified using the execution signature verification key information to confirm the validity of the program module.
The module name is a name assigned to the program module.
The key information storage area 122 holds encryption key information K _ C1 used when the application program AP _1 is executed to access the storage area 155_1 of the IC card 103 shown in fig. 22, encryption key information K _ C2 used when the application program AP _2 is executed to access the storage area 155_2 of the IC card 103 shown in fig. 22, and encryption key information K _ C3 used when the application program AP _3 is executed to access the storage area 155_3 of the IC card 103 shown in fig. 22.
The key information K _ C1, K _ C2, and K _ C3 are encrypted with the key information K _ X.
Only the administrator of the SAM chip 108 allows access to the key information storage area 122.
[ SAM chip 108]
Fig. 25 is a functional block diagram of the SAM chip 108 shown in fig. 19.
As shown in fig. 25, the SAM chip 108 has an ASPS communication interface means 160, an external memory communication interface means 161, a bus scramble means 162, a signature processing means 163, a verification processing means 164, an encryption/decryption means 165, a memory 166, and a CPU 167.
The SAM chip 108 is a tamper-resistant module.
The ASPS communication interface means 160 is an interface for inputting and outputting data with respect to the ASP server 106 shown in fig. 19.
The external memory communication interface device 161 is an interface for inputting and outputting data to and from the external memory 107.
When data is input and output through the external memory communication interface device 161, the bus scrambling device 162 encodes and encrypts the output data and decrypts the input data.
As described later, the signature processing means 163 generates a signature and verifies the signature when an application program is downloaded to the external memory 107 via the internet 110 and when the application program is executed.
When the application program is downloaded to the external memory 107 via the internet 110, the authentication processing means 164 performs mutual authentication with respect to the other party.
The encryption/decryption device 165 encrypts data and decrypts the encrypted data.
The memory 166 holds key information K _ X for decrypting the key information K _ C1, K _ C2, and K _ C3 held in the key information storage area 122 of the above-mentioned external memory 107.
The CPU 167 executes tasks as described later according to a predetermined program (the program of the present invention), and executes application programs specified in accordance with the execution of the tasks.
Fig. 26 illustrates tasks performed by the CPU 167.
As shown in fig. 26, the CPU 167 executes a download task 170, a system task 171, an AP task 172 (a program of the present invention), and a settlement processing routine task 173.
As will be described later, the download task 170 executes a process of downloading the application program from outside the SAM apparatus 109 to the external memory 107 via the SAM chip 108.
The system task 171 is a task of performing a driver management operation unique to the IC card 103, and other processes.
The AP task 172 totally manages the execution of the application programs AP _1, AP _2, and AP _3 that are executed when the SAM chip 108 receives a processing request from the ASP server 106 or from elsewhere outside the SAM chip 108.
The settlement processing routine task 173 determines which of the application programs AP _1, AP _2, and AP _3 is to be used when the SAM chip 108 receives a processing request relating to the IC card 103 from the ASP server 106.
An example of the operation of the communication system 101 will be described below.
[ operation of downloading AP to external memory ]
Fig. 27 is a flowchart illustrating an operation of downloading the application program AP _1 from the personal computer 116_1 shown in fig. 19 to the external memory 107.
Step ST 101:
the personal computer 116_1 shown in fig. 19 transmits a download request specifying the module names of the respective program modules to be downloaded to the SAM chip 108 through the authentication means 117_ 1.
Step ST 102:
the download task 170 running on the SAM chip 108 shown in fig. 26 performs mutual authentication with respect to the authentication apparatus 117_1 connected to the personal computer 116_ 1. Further, when mutual authentication confirms mutual validity, the process of step ST103 is executed.
Note that in the present embodiment, various techniques can be used as the mutual authentication technique, but the following technique is used.
The authentication apparatus 117_1 and the SAM chip 108 each hold identification information of the SAM chip 108, i.e., SAM _ ID, and mutual authentication master key information.
Further, the authentication apparatus 117_1 encrypts the SAM _ ID with the mutual authentication master key information and transmits it to the SAM chip 108. The SAM chip 108 decrypts the received encrypted SAM _ ID with the mutual authentication master key and compares it with its own saved SAM _ ID. If there is a match, the validity of the authentication device 117_1 is confirmed. Further, in contrast to this, the SAM chip 108 encrypts the SAM _ ID with the mutual authentication master key information and transmits it to the authentication apparatus 117_ 1. The authentication means 117_1 decrypts the received encrypted SAM _ ID with the mutual authentication master key and compares it with its own saved SAM _ ID. If there is a match, the validity of the SAM chip 108 is confirmed.
Step ST 103:
the download task 170 judges whether or not each module name specified by the download request is recorded in the module management data 130 in step ST101, the module management data 130 being stored in the AP management storage area 121 of the external memory 107.
Step ST 104:
when it is judged in step ST103 that the respective module names are not recorded, the process is ended without performing the download process, and when it is judged that the respective module names are recorded, the process of step ST105 is performed.
Step ST 105:
the authentication apparatus 117_1 encrypts the SAM _ ID as plaintext using the AP master KEY-a, generating download signature authentication KEY information.
In addition, it transmits the download signature verification key information or signature information generated using the download signature verification key information to the SAM chip 108.
Step ST 106:
when the download signature verification key information is received in step ST105, the download task 170 determines whether the received download signature verification key information matches the download signature verification key information of the corresponding module name in the module management data 130.
Further, when the signature information is received at step ST105, the download task 170 judges the validity of the signature information using the download signature verification key information of the corresponding module name in the module management data 130.
Step ST 107:
when it is judged in step ST106 that the download signature verification key information matches, or when it is judged that the signature information is legitimate, the download task 170 proceeds to the processing of step S108, and the processing is ended in other cases.
Step ST 108:
the download task 170 specifies the address in the external memory 107 corresponding to the module name specified in step ST101 by looking at the module management data 130, and downloads the program module from the personal computer 116_1 to the specified address on the external memory 107.
[ operation of executing application program ]
Fig. 28 is a flowchart illustrating an operation in which the SAM chip 108 shown in fig. 19 executes the application program AP _ 1.
Step ST 111:
when the SAM chip 108 receives the request for execution of the application program AP _1 from the ASP server 106, the AP task 172 shown in fig. 26 performs the process of step ST 112.
Step ST 112:
when the AP task 172 executes a program module of the application program AP _1, it can obtain execution signature verification key information corresponding to the module name of the program module by referring to the module management data 130.
Step ST 113:
the AP task 172 verifies the validity of the signal information of the program module using the execution signature verification key information obtained in step ST 112.
That is, it determines whether the program module has been illegally altered or tampered.
Step ST 114:
when the AP task 172 verifies in step ST113 that the signature information is legitimate, it proceeds to the process of step ST115, and when it judges that the signature information is not legitimate, the process is ended.
Step ST 115:
AP task 172 executes the program module whose signature information has been determined to be legitimate.
Note that as a subroutine in the program, a program module may also be executed by the CPU167 shown in fig. 25.
[ operation during execution of application ]
Fig. 29 is a view illustrating an operation of executing an application program.
Step ST 121:
when the AP task 172 executes the code in the program module through the processing shown in fig. 28, it determines whether the code to be executed next is code for another program module to instruct data transmission or data check.
Step ST 122:
when it is judged that the code to be executed next instructs no data transfer or data check with respect to another program module, the AP task 172 proceeds to the process of step ST124, and when it is judged that the code to be executed next instructs data transfer or data check, it proceeds to the process of step ST 123.
Step ST 123:
AP task 172 executes the code.
Step ST 124:
AP task 172 performs error handling without executing the code.
The overall operation of the communication system shown in fig. 19 will be described below.
Fig. 30 is a view illustrating the overall operation of the communication system 101 shown in fig. 19.
Step ST 131:
the enterprises 115_1 to 115_3 or a party requested by the enterprises generate the application programs AP _1, AP _2, and AP _3 on the personal computers 116_1, 116_2, and 116_3 shown in fig. 19, the application programs AP _1, AP _2, and AP _3 enabling the enterprises to perform processing related to transactions performed using the IC card 103.
Further, the manager of the SAM chip 108 generates the module management data 130 shown in fig. 23, encrypts it, and saves it in the external memory 107.
Step ST 132:
the application programs AP _1, AP _2, and AP _3 are downloaded from the personal computers 116_1, 116_2, and 116_3 to the SAM chip 108 through the authentication devices 117_1, 117_2, and 117_ 3.
At this time, the processing described with reference to fig. 27 is executed.
Step ST 133:
the user is issued to the IC card 103.
As shown in fig. 22, the memory 150 of the IC 103a of the IC card 103 holds key information for a transaction of the user with the contracted enterprise.
Note that after the IC card 103 is issued, the user and the business can also contract through the internet 110 or the like.
Step ST 134:
for example, when a user attempts to purchase a product by accessing the server 102 through the internet 110 using the personal computer 105, the server 102 transmits a processing request to the ASP server 106 through the internet 110.
When receiving a processing request from the server 102, the ASP server 106 accesses the personal computer 105 through the internet 110. Further, the processing request for the IC card 103 issued by the reader/writer 104 is transmitted to the SAM chip 108 via the personal computer 105, the internet 110, and the ASP server 106.
Step ST 135:
the SAM chip 108 selects an application program by the settlement processing routine task 173 according to the processing request received at step ST134, and executes the selected application program.
The processing explained using fig. 28 and 29 in the execution of the application program is subsequently executed.
The SAM chip 108 outputs the execution result of the application program to the ASP server 106.
As described above, according to the communication system 101, as described with fig. 27, since the SAM chip 108 authenticates the downloader of the application program using the authentication means 117_1, 117_2, and 117_3 and allows only the application program to be downloaded to the designated storage area in the external memory 107, it is possible to prevent an unauthorized party from illegally exchanging or tampering with the application program in the external memory 107.
Further, according to the communication system 101, when the SAM chip 108 runs several applications, since data transfer and data and code viewing between the applications are restricted by the firewalls FW _1, FW _2, and FW _3, it is possible to prevent the processing of each application from being illegally disturbed or tampered by another application. In addition, the confidentiality of each application can be improved.
Further, according to the communication system 101, as described with fig. 28, when an application is executed, by verifying whether the application is being tampered with, it is possible to avoid identity theft or other illegal acts based on illegal tampering of the application.
Further, according to the communication system 101, by constituting each application program by a plurality of program modules, it is possible to download the program modules to the external memory 107.
Further, according to the communication system 101, by normally scrambling highly confidential key information for operation on the IC card 103, encrypting it, and saving it in an external memory, the security level of the key information can be improved.
Further, according to the communication system 101, since the application performs encryption and decryption at the time of code access by the bus scramble function, when the processing of the SAM chip 108 is stopped, the application stored in the external memory 107 can be prevented from being subjected to illegal analysis or the like.
Fig. 31 is a functional block diagram showing functional blocks of the SAM chip 108 shown in fig. 25 in more detail.
As shown in fig. 31, the SAM chip 108 is connected to the ASPS communication interface means 160, the external memory communication interface means 161, the bus scramble means 162, the encryption/decryption means 165, the memory 166, and the CPU 167 via an internal bus 190.
Part of the functions of the signature processing means 163 and the verification processing means 164 shown in fig. 25 are realized by the CPU 167.
In the SAM chip 108 shown in fig. 31, for example, as shown in fig. 32, it is also possible to connect a card I/F device 191 connected to an internal bus 190 and an RF receiving/transmitting device 192 located outside the SAM chip 108, and to transmit data with respect to the IC card 102 by means of a contactless system through an antenna 192a of the RF receiving/transmitting device 192.
Third embodiment
This embodiment is an embodiment corresponding to aspects 10 to 12 of the present invention.
Fig. 33 shows the overall configuration of the communication system 201 of the present embodiment.
As shown in fig. 33, the communication system 201 communicates through the internet 210 using a server 202, an IC card 203, a reader/writer 204, a personal computer 205, an ASP (application service provider) server 206, a SAM (secure application module) device 209, personal computers 216_1, 216_2, and 216_3, and authentication devices 217_1, 217_2, and 217_3, and performs settlement processing of a process using the IC card 203 or other processing.
The SAM device 209 has an external memory 207 and a SAM chip 208.
The SAM chip 208 has a software configuration shown in fig. 34.
As shown in fig. 34, the SAM chip 208 has a HW (hardware) layer, an OS layer, a low-level handler layer, a high-level handler layer, and an AP layer from the bottom layer to the top layer.
The low level handler layer includes a driver layer.
Here, the AP layer includes application programs AP _1, AP _2, and AP _3 that determine a process in which the IC card 203 is used by a credit card company or other enterprises 215_1, 215_2, and 215_3 shown in fig. 33.
In the AP layer, a firewall FW is provided between the application programs AP _1, AP _2, and AP _3 and the high-level handler layer.
The SAM chip 208 is connected to the ASP server 206 through a SCSI port, ethernet, or the like. The ASP server 206 is connected to several terminal devices through the internet 210, including the personal computer 205 of the end user and the personal computers 216_1, 216_2, and 216_3 of the enterprises 215_1, 215_2, and 215_ 3.
The personal computer 205 is connected to the Dumb type reader/writer 204 through a serial port or a USB port. The reader/writer 204 realizes physical wireless communication with the IC card 203.
An operation command transmitted to the IC card 203 is generated on the SAM device 209 side and a response packet from the IC card 203 is analyzed. Thus, the reader/writer 204, the personal computer 205, and the ASP server 206 therebetween function only to save the command or response content in the data payload section and relay the data payload section. They do not participate in encryption or decryption of data, authentication, and other actual operations in the IC card 103.
The enterprises 215_1, 215_2, and 215_3 generate the application programs AP _1, AP _2, and AP _3 using the personal computers 216_1, 216_2, and 216_3, and download the generated application programs into a predetermined storage area in the external memory 207 through the authentication devices 217_1, 217_2, and 217_3 and via the SAM chip 208.
At this time, since the enterprises 215_1, 215_2, and 215_3 are independent of each other, the storage areas of the downloadable applications AP _1, AP _2, and AP _3 in the external memory 207 are predetermined. The SAM chip 208 verifies whether the applications are authorized to be downloaded to the storage areas.
Further, data transfer and data viewing between the applications AP _1, AP _2, and AP _3 is limited by the firewall FW. As described later, when the application programs AP _1, AP _2, and AP _3 are downloaded to the SAM chip 108, the authentication means 217_1, 217_2, and 217_3 perform mutual authentication with respect to the SAM chip 209, generate download signature authentication key information, and the like.
The components shown in fig. 33 are explained below.
[ IC card 203]
Fig. 35 is a functional block diagram of the IC card 203.
As shown in fig. 35, the IC card 203 has an IC (integrated circuit) 203a provided with a memory 250 and a processor 251.
As shown in fig. 36, the memory 250 has a memory area 255_1 used by the credit card company or another enterprise 215_1, a memory area 255_2 used by the enterprise 215_2, and a memory area 255_3 used by the enterprise 215_ 3. Further, the memory 250 holds key information for judging the presence of authority on the storage area 255_1, key information for judging access authority to the storage area 255_2, and key information for judging access authority to the storage area 255_ 3. The key information is dedicated to mutual authentication, encryption and decryption of data, and the like.
Further, the memory 250 stores the IC card 203 or identification information of the user of the IC card 203.
Next, the SAM apparatus 209 is explained in detail.
[ external memory 207]
Fig. 37 illustrates a storage area of the external memory 207.
As shown in fig. 37, the storage areas of the external memory 207 include a storage area 220_1 that stores the application program AP _1 of the enterprise 215_1, a storage area 220_2 that stores the application program AP _2 of the enterprise 215_2, a storage area 220_3 that stores the application program AP _3 of the enterprise 215_3, and an AP management storage area 221 used by a manager of the SAM chip 208.
The application program AP _1 stored in the AP memory area 220_1 is composed of several program modules. The firewall FW _1 restricts access to the AP storage area 220_ 1.
The application program AP _2 stored in the AP memory area 220_2 is composed of several program modules. The firewall FW _2 restricts access to the AP storage area 220_ 2.
The application program AP _3 stored in the AP memory area 220_3 is composed of several program modules. The firewall FW _3 restricts access to the AP storage area 220_ 3.
In the present embodiment, the program module is a minimum unit downloaded from the SAM device 209 to the external memory 207. The number of program modules constituting each application program can be freely determined by the corresponding enterprise.
Further, the application programs AP _1, AP _2, and AP _3 stored in the external memory 207 are scrambled. These applications are descrambled when read into the SAM chip 208.
Further, the application programs AP _1, AP _2, and AP _3 are generated by the enterprises 215_1, 215_2, and 215_3 using the personal computers 216_1, 216_2, and 216_3 shown in fig. 33, and are downloaded to the external memory 207 through the SAM chip 208.
The firewall FW _4 restricts access to the AP management storage area 221.
Note that the firewalls FW _1, FW _2, FW _3 and FW _4 correspond to the firewall FW shown in fig. 34.
The AP management memory area 221 holds AP selection data 231 and inter-AP communication data 232 as shown in fig. 37.
Here, the AP selection data 231 and the inter-AP communication data 232 are recorded in advance at the time of forming the SAM chip 208. Further, the AP selection data 231 and the inter-AP communication data 232 may be rewritten only by a manager of the SAM chip 208.
Fig. 38 illustrates the AP selection data 231.
As shown in fig. 38, the AP selection data 231 displays the IC card type information and the AP identification information linked together.
The IC card type information represents the type of the IC card 203 shown in fig. 33, and is identification information of a credit card company that performs settlement of a transaction using the IC card 203.
As shown in fig. 34, the AP identification information is identification information of an application program operating on the AP layer of the SAM chip 208.
Fig. 39 illustrates inter-AP communication data 232.
The inter-AP communication data 232 indicates whether or not communication between the applications AP _1, AP _2, and AP _3 shown in fig. 34 is possible.
Specifically, this indicates whether or not a communication request issued by an application located in an entry in a certain column to an application located in an entry in a certain row shown in fig. 39 is permitted.
For example, the application program AP _3 is permitted to issue a communication request to the application program AP _1, but the communication request to the application program AP _2 is rejected.
Further, as shown in fig. 37, the AP management memory area 221 has an inter-AP communication memory area 233 for communication (transmission of data) with an application.
[ SAM chip 208]
Fig. 40 is a functional block diagram of the SAM chip 208 shown in fig. 33.
As shown in fig. 40, the SAM chip 208 has an ASPS communication interface means 260, an external memory communication interface means 261, a bus scrambling means 262, a signature processing means 263, an authentication processing means 264, an encryption/decryption means 265, a memory 266, and a CPU 267.
The SAM chip 208 is a tamper-resistant module.
The ASPS communication interface means 160 is an interface for inputting and outputting data with respect to the ASP server 206 shown in fig. 33.
The external memory communication interface device 261 is an interface for inputting and outputting data to and from the external memory 207.
When data is input and output through the external memory communication interface device 261, the bus scrambling device 262 scrambles the output data and descrambles the input data.
That is, the external memory 207 holds data in a descrambled state.
The signature processing means 263 as described later generates a signature and verifies the signature when an application program is downloaded to the external memory 207 through the internet 210 and when the application program is executed.
When the application program is downloaded to the external memory 207 via the internet 210, the authentication processing means 264 performs mutual authentication with respect to the other party as will be described later.
The encryption/decryption device 265 encrypts data and decrypts the encrypted data.
The memory 266 holds data necessary for processing by the CPU 267.
The CPU 267 executes tasks as described later according to a predetermined program (the program of the present invention), and executes application programs specified in accordance with the execution of the tasks.
Fig. 41 illustrates tasks performed by the CPU 267.
As shown in fig. 41, the CPU 167 executes a download task 270, a system task 271, an AP task 272, a settlement processing routine task 273, an inter-AP communication task 274, and an inter-SAM communication task 275.
As will be described later, the download task 270 executes a process of downloading an application program from outside the SAM apparatus 209 to the external memory 207 via the SAM chip 208.
The system task 271 is a task of performing a driver management operation unique to the IC card 203, or other processing.
The AP task 272 comprehensively manages the execution of the application programs AP _1, AP _2, and AP _3, which are executed when the SAM chip 208 receives a program request from the ASP server 206 or from elsewhere outside the SAM chip 208.
As shown in fig. 42, when the SAM chip 208 receives a processing request on the IC card 203 from the ASP server 206, the settlement processing routine task 273 obtains the identification information of the AP corresponding to the IC card type information included in the processing request according to the AP selection data 231 shown in fig. 38, and selects and executes the application programs AP _1, AP _2, and AP _3 corresponding to the AP identification information.
The inter-AP communication task 274 manages communication between applications.
Fig. 43 is a flowchart illustrating the processing of the inter-AP communication task 274.
Here, the description given exemplifies a case where the application program AP _1 issues a communication request to write data to AP _ 2.
Step ST 201:
when the executing application program AP _1 issues a communication request to write data to AP _2, the process of step ST202 is executed.
Step ST 202:
the communication request issued at step ST201 is received by the inter-AP communication task 274.
Step ST 203:
the inter-AP communication task 274 looks at the inter-AP communication data 232 shown in fig. 39, and determines whether the communication program AP _1 can communicate with the AP _ 2.
Step ST 204:
when the inter-AP communication task 274 judges in step ST203 that communication is possible, it performs the process of step ST205, and when communication is not possible, ends the process.
In this example, according to fig. 39, the application program AP _1 can communicate with AP _2, and therefore the process of step ST205 is executed.
Step ST 205:
under the control of the inter-AP communication task 274, the application program AP _1 writes data into the inter-AP communication storage area 233 shown in fig. 37.
Step ST 206:
the inter-AP communication task 274 notifies the application AP _2 of the fact that data is being written.
Step ST 207:
the application program AP _2 reads data from the inter-AP communication memory area 233 according to the notification received in step ST 206.
Thereby, the communication between the application programs AP _1 and AP _2 relayed through the firewall is completed.
As shown in fig. 44, the SAM inter-communication task 275 can start the SAM inter-communication task 275 of the SAM chip 208x located outside the SAM chip 208 and issue a remote command to the SAM inter-communication task 275 of the SAM chip 208x, as necessary.
When the processing load of the SAM chip 208 becomes large and it cannot properly perform the processing, such a remote command is sent by the inter-SAM communication task 275 of the SAM chip 208 to the inter-SAM communication task 275 of the SAM chip 208x, requesting the SAM chip 208x to perform at least part of the processing assigned to the SAM chip 208.
The overall operation of the communication system 201 shown in fig. 33 will be described below.
Fig. 45 illustrates the overall operation of the communication system 201 shown in fig. 33.
Step ST 231:
the enterprises 215_1 to 215_3 or the parties requested by the enterprises generate the applications AP _1, AP _2, and AP _3 of the enterprises on the personal computers 216_1, 216_2, and 216_3 shown in fig. 33 so as to perform processing regarding transactions using the IC card 203.
Step ST 232:
the application programs AP _1, AP _2, and AP _3 are downloaded from the personal computers 216_1, 216_2, and 2163 to the SAM chip 208 through the authentication means 217_1, 217_2, and 217_ 3.
Step ST 233:
the user is issued to the IC card 203.
As shown in fig. 36, the IC 203a of the IC card 203 holds key information for a transaction of a user with a contracted enterprise.
Note that the transaction between the user and the enterprise may be concluded through the internet 2110 or the like after the IC card 203 is issued.
Step ST 234:
For example, when a user wishes to access the server 202 and purchase a product through the internet 210 using the personal computer 205, the server 202 transmits a processing request to the ASP server 206 through the internet 210.
When the ASP server 206 receives the processing request from the server 202, the ASP server 206 accesses the personal computer 205 through the internet 210. Further, a processing request for the IC card 203 issued by the reader/writer 204 is sent to the SAM chip 208 via the personal computer 205, the internet 210, and the ASP server 206.
Step ST 235:
in accordance with the processing request received at step ST234, the SAM chip 208 selects an application program by means of the settlement processing routine task 273 and executes the selected application program.
In the execution of the applications, any communication between the applications is accomplished by the inter-AP communication task 274 shown in fig. 43 as mentioned above.
Step ST 236:
the SAM chip 208 outputs the execution result of the application program to the ASP server 206.
As described above, according to the communication system 201, as shown in fig. 34 and 37, the firewall restricts the applications AP _1, AP _2, and AP _3 from accessing each other, and thus the applications can be prevented from being illegally monitored and tampered. In addition, the confidentiality of each application can be improved.
Further, according to the communication system 201, the processing shown in fig. 43 is completed using the AP management memory area 221 of the external memory 207 shown in fig. 37 by the inter-AP communication task 274 shown in fig. 41, allowing communication between applications within a range permitted in advance.
Thus, different services can be provided through synchronization and cooperation of several applications.
With respect to such different services, for example, there is a case where the settlement processing routine 273 shown in fig. 41 automatically selects an application. That is, although the hierarchies of the calculation contents are the same, for the settlement processing which differs in terms of the settlement agreement according to the issuer of the IC card 203, if the type of the IC card 203 is known, the corresponding application program can be automatically determined. Then, by recording the settlement processing at the level of the settlement processing routine task 273, the type of the IC card 203 and the corresponding application can be automatically determined. This reduces the burden on the application developer.
Further, according to the communication system 201, since the information held in the external memory 207 is scrambled by the bus scrambling means 262 of the SAM chip 208 shown in fig. 40, there is a considerably high confidentiality for the analysis from the outside.
Further, according to the communication system 201, by providing the inter-SAM communication task 275 shown in fig. 41, the processing load of the SAM chip 208 can be dispersed to other SAM chips. Thus, when the SAM chip 208 is installed in a shop server or the like that must deal with processing requests regarding settlement processing from several terminal apparatuses at the same time, the settlement processing capability using several SAM chips 208 can be improved using the function of the inter-SAM communication task 275.
Fig. 46 is a block diagram showing functional blocks of the SAM chip 208 shown in fig. 40 in more detail.
As shown in fig. 46, the SAM chip 208 is connected to the ASPS communication interface means 260, the external memory communication interface means 261, the bus scrambling means 262, the encryption/decryption means 265, the memory 266, and the CPU 267 via the internal bus 290.
Part of the functions of the signature processing means 263 and the authentication processing means 264 shown in fig. 40 are realized by the CPU 267.
As shown in fig. 47, the SAM chip 208 shown in fig. 46 may also connect a card I/F device 291 connected to the internal bus 290 and an RF receiving/transmitting device 292 outside the SAM chip 208, and transmit data with the IC card 203 via a contactless system through an antenna 292a of the RF receiving/transmitting device 292.
Fourth embodiment
This embodiment is an embodiment corresponding to aspects 13 to 16 of the present invention.
Fig. 48 is a view of the overall structure of the communication system 301 of the present embodiment.
As shown in fig. 48, the communication system 301 uses a server 302, an IC card 303 (an integrated circuit of the present invention), a reader/writer 304, a personal computer 305, an ASP (application service provider) server 306, an SAM (secure application module) apparatus 309, personal computers 316_1, 316_2, 316_3, 316_4, and 316_5, authentication apparatuses 317_1, 317_2, 317_3, 317_4, and 317_5 (an authentication device of the present invention), and an ICE (in-line emulator) 318 to communicate via the internet 310, develop or customize software of the SAM chip 308, perform settlement processing using the IC card 303, and the like.
The SAM device 309 has an external memory 307 (semiconductor memory circuit of the present invention) and a SAM chip 308 (semiconductor circuit of the present invention).
The SAM chip 308 has a software configuration as shown in fig. 49.
As shown in fig. 49, the SAM chip 308 has, from the bottom layer to the top layer, an HW (hardware) layer, an OS layer, a low-level handler layer, a high-level handler layer, and an Application (AP) layer.
The low-level handler layer determines application-independent processing and corresponds to the transport, network, and data link layers in the OSI protocol.
The low level handler layer includes a driver layer.
The driver layer performs processing related to the operation of the LSI.
The high-level handler layer determines application-dependent processing and corresponds to a layer higher in the OSI protocol than the transport layer.
Here, the OS layer corresponds to a first layer of the present invention, the low-level handler layer, the driver layer, and the high-level handler layer correspond to a second layer of the present invention, and the AP layer corresponds to a third layer of the present invention.
The AP layer includes application programs AP _1, AP _2, and AP _3 that determine the procedure of using the IC card 303 by the credit card company and the other enterprises 315_ AP1, 315_ AP2, and 315_ AP3 shown in fig. 48.
In the AP layer, a firewall FW (firewall of the present invention) is provided between the application programs AP _1, AP _2, and AP _3 and the high-level handler layer.
In the software configuration shown in fig. 49, the AP layer determines the contents of processing specific to each enterprise, for example, settlement processing using the IC card 303. The process of directly operating the IC card 303 is determined by the layers below the high-level handler layer (on down).
The SAM chip 308 is connected to the ASP server 306 through a SCSI port, ethernet, or the like.
The ASP server 306 is connected to the personal computers 305, 316_1, 316_2, 316_3, 316_4, and 316_5 through the internet 310.
The personal computer 316_1 is used by the enterprise 315_ AP1 of the application program AP _1 executed by the SAM chip 308.
The personal computer 316_2 is used by the enterprise 315_ AP2 of the application program AP _1 executed by the SAM chip 308.
The personal computer 316_3 is used by the enterprise 315_ AP3 of the application program AP _1 executed by the SAM chip 308.
The personal computer 316_4 is used by a software developer 315_ MID capable of developing a high-level handler layer of the SAM chip 308 and a low-level handler layer including a driver layer.
The personal computer 316_5 is used by a manufacturer of the SAM chip 308, i.e., a software developer 315_ SUP having authority to manage the SAM chip 308 as a whole.
The enterprises 315_ AP1, 315_ AP2, and 315_ AP3 generate the application programs AP _1, AP _2, and AP _3 using the personal computers 316_1, 316_2, and 316_3, and the authenticated devices 317_1, 317_2, and 317_3 download the generated application programs into a pre-allocated storage area in the external memory 307 through the SAM chip 308.
At this time, the enterprises 315_ AP1, 315_ AP2, and 315_ AP3 have nothing to do with each other, and therefore the storage areas of the downloadable applications AP _1, AP _2, and AP _3 in the external memory 307 are determined in advance. The SAM chip 308 verifies whether the application is authorized to be downloaded to such a storage area.
Further, the firewall FW restricts data transfer and data viewing between the applications AP _1, AP _2, and AP _3 during execution of the applications AP _1, AP _2, and AP _ 3.
The software developer 315_ MID downloads a predetermined program to the SAM chip 308 through the authentication means 317_4 as necessary in order to customize the high-level handler layer shown in fig. 49 and the low-level handler layer including the driver layer and the like of the SAM chip 308.
Further, the software developer 315_ SUP downloads a predetermined program to the SAM chip 308 through the authentication means 317_5 so as to customize all the layers shown in fig. 49.
As described later, when a predetermined program is downloaded from the personal computer 316_1-316_5 to the SAM chip 308, the authentication devices 371_1-317_5 authenticate each other, and generate download signature authentication key information and the like using the SAM chip 308.
The personal computer 305 is used by the owner of the IC card 303, i.e., the end user.
The personal computer 305 is connected to the Dumb-type reader/writer 304 through a serial port or USP port. The reader/writer 304 implements physical wireless communication with the IC card 303.
An operation command sent to the IC card 303 is generated on the SAM apparatus 309 side and a response packet from the IC card 303 is analyzed. Thus, the reader/writer 304, the personal computer 305, and the ASP server 306 interposed therebetween function only to save the command or response contents in the data payload section and relay the data payload section, which do not participate in encryption or decryption of data, authentication, or other operations in the IC card 303.
Further, the ICE 318 is an emulator used when debugging a program running on the SAM chip 308.
The components shown in fig. 48 will be explained below.
IC card303
The IC card 303 holds key information and the like necessary for settlement processing using the SAM chip 308.
Authentication means 317_1-317_5
Fig. 50 is a functional block diagram of the authentication device 317_ 1.
As shown in fig. 50, the authentication device 317_1 has a memory 350_1 and a processor 351_ 1.
As shown in fig. 50, the memory 350_1 holds a SAM _ ID, mutual authentication master key information K1, and access master key information KA.
The SAM _ ID is identification information of the SAM chip 308.
As described later, the mutual authentication master key information K1 is used to generate the mutual authentication key information K2.
As will be described later, the access master key information KA is used to generate download signature information used when a program is downloaded into the external memory 307.
The access master key information KA is key information necessary for downloading the program of the AP layer of the software structure of the SAM chip 308 shown in fig. 49 to the external memory 307.
As shown in fig. 50, the processor 351_1 has a mutual authentication device 352_1 and a download processor 353_ 1.
As shown in fig. 51, when downloading the program to the external memory 307, the mutual authentication apparatus 352_1 encrypts the SAM _ ID in plaintext form using the mutual authentication master key information K1, generates the mutual authentication key information K2, and uses the mutual authentication key information K2 for mutual authentication with the SAM chip 308.
As shown in fig. 52, when a program is downloaded to the external memory 307, the download processor 353_1 encrypts the SAM _ ID in plaintext form using the access master key information KA, generating download key information K _ DA. Further, the download processor 353_1 generates download signature information using the download key information K _ DA and transmits it to the SAM chip 308.
The structures of the verifying means 317_2 and 317_3 are the same as the verifying means 317_1 described above. However, the contents of the access master key information KA of each authentication device are different from each other.
Fig. 53 is a functional block diagram of the authentication device 317_ 4.
As shown in fig. 53, the authentication device 317_4 has a memory 350_4 and a processor 351_ 4.
As shown in fig. 53, the memory 350_4 holds the SAM _ ID, the mutual authentication master key information K1, and the access master key information KA and KM.
The SAM _ ID, the mutual authentication master key information K1, and the access master key information KA are the same as described above.
The access master key information KM is key information for downloading programs of the high-level handler layer of the software structure of the SAM chip 308 shown in fig. 49 and the low-level handler layer including the driver layer to the external memory 307 or the SAM chip 308.
As shown in fig. 53, the processor 351_4 has a mutual authentication means 352_4 and a download processor 353_ 4.
The mutual authentication device 352_4 is the same as the mutual authentication device 352_1 described in fig. 51.
As shown in fig. 54, when a program is downloaded to the external memory 307, the download processor 353_4 encrypts the SAM _ ID in plaintext form using the access master key information KA, generating download key information K _ DA. Subsequently, the download processing means 353_4 encrypts the download key information K _ DA as plain text using the access master key information KM, generating the download key information K _ DM. Thereafter, the download processing means 353_4 generates download signature information using the download key information K _ DM and transmits it to the SAM chip 308.
Fig. 55 is a functional block diagram of the authentication device 317_ 5.
As shown in fig. 55, the authentication device 317_5 has a memory 350_5 and a processor 351_ 5.
As shown in fig. 55, the memory 350_5 holds a SAM _ ID, mutual authentication master key information K1, and access master key information KA, KM, and KS.
The SAM _ ID, the mutual authentication master key information K1, and the access master key information KA and KM are the same as described above.
The access master key information KS is key information required to download a program of the OS layer of the software structure of the SAM chip 308 shown in fig. 49 to the external memory 307 or the SAM chip 308.
As shown in fig. 55, the processor 351_5 has a mutual authentication means 352_5 and a download processor 353_ 5.
The mutual authentication means 352_5 is the same as the above-mentioned mutual authentication means 352_1 shown in fig. 51.
As shown in fig. 56, when a program is downloaded to the external memory 307, the download processor 353_5 encrypts the SAM _ ID as a plain text with the access master key information KA, generating download key information K _ DA. Subsequently, the download processor 353_5 encrypts the download key information K _ DA as plain text using the access master key information KM, generating the download key information K _ DM. Thereafter, the download processor 353_5 encrypts the download key information K _ DM as plain text using the access master key information KS, generating the download key information K _ DS. Then, the download processor 353_5 generates download signature information using the download key information K _ DS and transmits it to the SAM chip 308.
In this embodiment, the verification devices 317_1, 317_4, and 317_5 securely store information in the memories 350_1, 350_4, and 350_ 5. When such information is destroyed by external factors or is forced to open, which is detected by the detection means, the information stored in the memories 350_1, 350_4 and 350_5 is deleted.
SAM apparatus 309
[ external memory 307]
Fig. 57 illustrates a storage area of the external memory 307.
As shown in fig. 57, the storage areas of the external memory 307 include an AP storage area 320_1 that stores the application program AP _1 of the enterprise 315_1, an AP storage area 320_2 that stores the application program AP _2 of the enterprise 315_2, an AP storage area 320_3 that stores the application program AP _3 of the enterprise 315_3, and an AP management storage area 321 used by the administrator of the SAM chip 308.
The application program AP _1 stored in the AP memory area 320_1 is composed of several program modules. Access to the AP storage area 320_1 is limited by a firewall FW _ 1.
The application program AP _2 stored in the AP memory area 320_2 is composed of several program modules. Access to the AP storage area 320_2 is limited by a firewall FW _ 2.
The application program AP _3 stored in the AP memory area 320_3 is composed of several program modules. Access to the AP storage area 320_3 is limited by a firewall FW _ 3.
In the present embodiment, the program module described above is a minimum unit downloaded from outside the SAM apparatus 309 to the external memory 307. The number of program modules constituting each application program can be freely determined by the corresponding enterprise.
Further, the application programs AP _1, AP _2, and AP _3 held in the external memory 307 are scrambled. Further, when read into the SAM chip 308, they are descrambled.
Further, the application programs AP _1, AP _2, and AP _3 are generated by the enterprises 315_1, 315_2, and 315_3 using the personal computers 316_1, 316_2, and 316_3 shown in fig. 48, and are downloaded to the external memory 307 through the SAM chip 308.
Access to the AP management storage area 321 is restricted by the firewall FW _ 4.
Note that the firewalls FW _1, FW _2, FW _3 and FW _4 correspond to the firewall FW shown in fig. 49.
The AP management memory area 321 holds AP management data 330.
The AP management data 330 includes SAM _ ID, mutual authentication key information K2 (or mutual authentication master key information K1), and download signature authentication information K _ DA, KDVM, and KDVS.
Here, the download signature verification key information K _ DVA is key information for verifying the validity of the signature information generated using the download key information K _ DA.
The download signature verification key information K _ DVM is key information for verifying the validity of signature information generated using the download key information K _ DM.
The download signature verification key information K _ DVS is key information for verifying the validity of signature information generated using the download key information K _ DS.
The download signature verification key information is key information for signature verification performed when the program module is downloaded to the external memory 307 through the SAM chip 308.
[ SAM chip 308]
Fig. 58 is a functional block diagram of the SAM chip shown in fig. 48.
As shown in fig. 58, the SAM chip 308 has an ASPS communication interface means 360, an external memory communication interface means 361, a bus scramble means 362, an encryption/decryption means 363, a memory 364, and a CPU 365.
The SAM chip 308 is a tamper-resistant module.
The ASPS communication interface means 360 is an interface for inputting and outputting data with respect to the ASP server 306 shown in fig. 48.
The external memory communication interface device 361 is an interface for inputting and outputting data to and from the external memory 307.
When data is input and output through the external memory communication interface device 361, the bus scrambling device 362 scrambles the output data and descrambles the input data.
The encryption/decryption device 363 encrypts data and decrypts the encrypted data.
The memory 364 holds data for processing by the CPU 365.
The CPU 365 executes various processes including application by the SAM chip 308 according to a predetermined program (program of the present invention) in the form of a task or the like.
For example, the CPU 365 executes a download task 365a for completing a process of downloading a program module through the internet 310.
The downloading operation of the program module by the downloading task 365a of the CPU 365 will be described below.
Fig. 59 is a flowchart illustrating a download operation.
In the following embodiment, a description will be given of an operation when the enterprise 315_ AP1 downloads a program module of the application program AP _1 shown in fig. 49 and 57.
Step ST 301:
the personal computer 316_1 shown in fig. 48 transmits a download request specifying the module names of the respective program modules constituting the application program AP _1 to be downloaded to the SAM chip 308 through the authentication apparatus 317_1, the internet 310, the ASP server 306, and the ICE 318.
Step ST 302:
as shown in fig. 51, the mutual authentication apparatus 352_1 of the processor 351_1 of the authentication apparatus 317_1 encrypts the SAM _ ID as plaintext using the mutual authentication master key information K1, generating mutual authentication key information K2.
Step ST 303:
the mutual authentication means 352_1 of the processor 351_1 of the authentication means 317_1 performs mutual authentication with the download task 365a of the CPU365 of the SAM chip 308 using the mutual authentication key information K2 generated at step ST 302.
Step ST 304:
when the mutual validity is confirmed in the mutual authentication at step ST303, the apparatus goes to the processing at step ST305, and when the mutual validity is not confirmed, the processing is ended.
Step ST 305:
as shown in fig. 52, the download processing device 353_1 of the processor 351_1 of the authentication device 317_1 shown in fig. 50 encrypts the SAM _ ID as plaintext using the access master key information KA, generating the download key information K _ DA.
Step ST 306:
the download processing means 353_1 generates download signature information using the download key information K _ DA generated in step ST 305.
Step ST 307:
the download processing means 353_1 transmits the download signature information generated in step ST306 to the SAM chip 308.
Step ST 308:
the download task 365a of the CPU365 of the SAM chip 308 shown in fig. 58 judges the validity of the download signature information received in step ST307 using the download signature verification key information K _ DVA shown in fig. 57.
At this time, the download task 365a judges whether or not the download request is made at the AP layer based on the module name received at step ST301, and specifies the download signature verification key information K _ DVA.
Step ST 309:
if it is judged at step ST308 that the download signature information is legitimate, the task goes to the processing at step ST310, otherwise the processing is ended.
Step ST 310:
the download task 365a of the CPU 365 of the SAM chip 308 shown in fig. 58 specifies the address in the external memory 307 corresponding to the module name specified at step ST301 by looking at the module management data 330, and downloads the program module received from the personal computer 316_1 to the specified address on the external memory 307.
Note that when the software developer 315_ MID downloads the program modules of the high-level handler layer and the low-level handler layer shown in fig. 49 to the external memory 307, the download key information K _ DM is generated by the routine explained with fig. 54 at step ST 305. Using the download key information, download signature information is generated in step ST 306. Further, in step ST308, in the SAM chip 308, the download signature verification key information K _ DVM shown in fig. 57 is used to verify the download signature information.
Further, when the software developer 315_ SUP downloads the program module of the OS layer shown in fig. 49 to the external memory 307, the routine explained with fig. 56 is used to generate the download key information K _ DS in step ST 305. With this download key information K _ DS, download signature information is generated in step ST 306. Further, in step ST308, in the SAM chip 308, the download signature verification key information K _ DVS shown in fig. 57 is used to verify the download signature information.
Note that the software developers 315_ MID and 315_ SUP can download the program modules of the AP layer to the external memory 307 using the access master key information KA.
In addition, the software developer 315_ SUP can download program modules of the high-level handler layer and the low-level handler layer to the external memory 307 using the access master key information KA and KM.
The processing of a transaction using the IC card 303 performed by the communication system 301 shown in fig. 48 is explained below.
Fig. 60 illustrates the overall operation of the communication system shown in fig. 48.
Step ST 331:
the enterprises 315_1 to 315_3 or a party requested by the enterprises generate the applications AP _1, AP _2, and AP _3 of the enterprises that perform processing regarding transactions using the IC card 303 on the personal computers 316_1, 316_2, and 316_3 shown in fig. 48.
At this time, the download process described with reference to fig. 59 is executed.
Step ST 332:
the application programs AP _1, AP _2, and AP _3 are downloaded from the personal computers 316_1, 316_2, and 316_3 to the SAM chip 308 by the authentication means 317_1, 317_2, and 317_ 3.
At this time, the processing described with reference to fig. 56 is executed.
Step ST 333:
the user is issued to the IC card 303.
The IC card 303 stores key information for a transaction between a user and a contracted enterprise.
Note that after the IC card 303 is issued, the user and the enterprise can also contract through the internet 310 or the like.
Step ST 334:
for example, when a user wishes to access the server 302 via the internet 310 using the personal computer 305 in order to purchase a product, the server 302 transmits a processing request to the ASP server 306 via the internet 310.
When receiving a processing request from the server 302, the ASP server 306 accesses the personal computer 305 through the internet 310. Further, the processing request for the IC card 303 issued by the reader/writer 304 is transmitted to the SAM chip 308 via the personal computer 305, the internet 310, and the ASP server 306.
Step ST 335:
the SAM chip 308 selects an application program by the settlement processing routine task according to the processing request received at step ST334, and executes the selected application program.
Step ST 336:
the SAM chip 308 outputs the execution result of the application program to the ASP server 306.
As described above, according to the communication system 301, by the authentication means 317_1, 317_2, and 317_3 holding the access master key information KA, the authentication means 317_4 holding the access master key information KM, the authentication means 317_5 holding the access master key information KS, and performing the process of downloading the program module to the external memory 307 as described above, it is possible to download the program module in accordance with the authority given in accordance with the software hierarchy shown in fig. 49. Thus, it is possible to prevent an unauthorized party from illegally exchanging or tampering with the program module to be executed by the SAM chip 308.
Further, according to the communication system 301, as described earlier, the authentication devices 317_1, 317_4, and 317_5 securely store information in the memories 350_1, 350_4, and 350_ 5. When this information is corrupted by external factors or forced open, which will be detected by the detection means, the saved information in the memories 350_1, 350_4 and 350_5 is deleted. Thus, illegal use of the downloaded key information for the SAM chip 308 can be avoided.
Further, according to the communication system 301, when the SAM chip 308 runs several applications, since data transfer between the applications or viewing of data and code is limited by the firewalls FW _1, FW _2, and FW _3, it is possible to prevent another application from illegally interfering with or tampering with the processing of the respective applications. In addition, the security of each application can be improved.
Further, according to the communication system 301, by constituting each application program by a plurality of program modules, it is possible to download the program modules to the external memory 307.
Further, according to the communication system 301, by encrypting the highly confidential key information for the operation of the IC card 303 in addition to the conventional scrambling and saving it in the external memory 307, the degree of security of the key information can be improved.
Further, according to the internet 301, when accessing a code by means of the bus scramble function, an application can perform encryption and decryption, so that it is possible to prevent the application stored in the external memory 307 from being subjected to illegal analysis or the like while stopping the processing of the SAM chip 308.
Fig. 61 is a functional block diagram showing functional blocks of the SAM chip 308 shown in fig. 58 in more detail.
As shown in fig. 61, the SAM chip 308 is connected to the ASPS communication interface means 360, the external memory communication interface means 361, the bus scramble means 362, the encryption/decryption means 365, the memory 364, and the CPU 366 through an internal bus 390.
In the SAM chip 308 shown in fig. 61, for example, as shown in fig. 62, it is also possible to connect a card I/F device 391 connected to an internal bus 390 to an RF receiving/transmitting device 392 other than the SAM chip 308, and to transfer data with the IF card 303 by a contactless system through an antenna 392a of the RF receiving/transmitting device 392.
The invention is not limited to the embodiments described above.
For example, in the embodiment described above, the case where the program modules are downloaded from the personal computers 316_1 to 316_5 to the external memory 307 via the SAM chip 308 is exemplified, but even when the program modules are downloaded from the personal computers 316_1 to 316_5 to the memory 364 in the SAM chip 308, the present invention can be similarly applied by using the functions of the download task 365a described above.
Further, in the embodiment described above, the case where the authentication means 317_1 to 317_5 are provided for the internet 310 on the side of the personal computers 316_1 to 316_6 is exemplified, but as shown in fig. 63, the authentication means 317_1 to 317_5 may be provided in the SAM chip 308 and access to the authentication means 317_1 to 317_5 is permitted for the respective personal computers 316_1 to 316_ 5.
Fifth embodiment
The present embodiment is an embodiment corresponding to the 17 th and 18 th aspects of the present invention.
Fig. 64 is a view of the entire structure of the communication system 401 of the present embodiment.
As shown in fig. 64, the communication system 401 communicates through the internet 410 using a server 402, an IC card 403, a reader/writer 404, a personal computer 405, an ASP (application service provider) server 406, a SAM (secure application module) device 409, personal computers 416_1, 416_2, and 416_3, and authentication devices 417_1, 417_2, and 417_3, and performs settlement processing of a process using the IC card 403 or other processing.
The SAM device 409 has an external memory 407 and a SAM chip 408.
The SAM chip 408 has a software configuration shown in fig. 65. As shown in fig. 65, the SAM chip 408 has, from the bottom layer to the top layer, a HW (hardware) layer, an OS layer, a low-level handler layer, a high-level handler layer, and an AP layer.
The low level handler layer includes a driver layer.
Here, the AP layer includes application programs AP _1, AP _2, and AP _3 that determine a process in which the IC card 403 is used by a credit card company or other enterprises 415_1, 415_2, and 415_3 shown in fig. 64.
In the AP layer, a firewall FW is provided between the application programs AP _1, AP _2, and AP _3 and the high-level handler layer.
The SAM chip 408 is connected to the ASP server 406 through a bus 419 using a SCSI port, ethernet, or the like. The ASP server 406 is connected via the internet 410 to a number of terminal devices including an end user's personal computer 405 and personal computers 416_1, 416_2 and 416_3 of businesses 415_1, 415_2 and 415_ 3.
The personal computer 405 is connected to the Dumb type reader/writer 404 through a serial port or a USB port. The reader/writer 404 realizes physical wireless communication with the IC card 403.
An operation command transmitted to the IC card 403 is generated on the SAM device 409 side, and a response packet from the IC card 403 is analyzed. Thus, the reader/writer 404, the personal computer 405, and the ASP server 406 interposed therebetween function only to save the command or response contents in the data payload section and relay the data payload section. They do not participate in encryption or decryption of data, authentication, and other actual operations in the IC card 403.
The enterprises 415_1, 415_2, and 415_3 generate the application programs AP _1, AP _2, and AP _3 using the personal computers 416_1, 416_2, and 416_3, and download the generated application programs to a storage area pre-allocated in the external memory 407 through the SAM chip 408 by the authentication means 417_1, 417_2, and 417_ 3.
At this time, since the enterprises 415_1, 415_2, and 415_3 have no relation to each other, the storage areas of the downloadable applications AP _1, AP _2, and AP _3 in the external memory 407 are determined in advance, and whether or not there is an authority to download to such storage areas is verified by the SAM chip 408.
Further, data transfer and data viewing between the applications AP _1, AP _2, and AP _3 is limited by the firewall FW.
When the application programs AP _1, AP _2, and AP _3 are downloaded to the SAM chip 408, as described later, the authentication means 417_1, 417_2, and 417_3 perform mutual authentication with the SAM chip 408, generate download signature authentication key information, and the like.
The SAM device 409 shown in fig. 64 will be described in detail below.
External memory 407
Fig. 66 illustrates a storage area of the external memory 407.
As shown in fig. 66, the storage areas of the external memory 407 include an AP storage area 420_1 that stores an application program AP _1 of the enterprise 415_1, an AP storage area 420_2 that stores an application program AP _2 of the enterprise 415_2, an AP storage area 420_3 that stores an application program AP _3 of the enterprise 415_3, and an AP management storage area 421 used by a manager of the SAM chip 408.
The application program AP _1 stored in the AP memory area 420_1 is composed of several program modules. Access to the AP storage area 420_1 is limited by a firewall FW _ 1.
The application program AP _2 stored in the AP memory area 420_2 is composed of several program modules. Access to the AP storage area 420_2 is limited by a firewall FW _ 2.
The application program AP _3 stored in the AP memory area 420_3 is composed of several program modules. Access to the AP storage area 420_3 is limited by a firewall FW _ 3.
In the present embodiment, the above program module is the smallest unit downloaded from outside the SAM apparatus 409 to the external memory 407. The number of program modules constituting each application program can be freely determined by the corresponding enterprise.
Further, the application programs AP _1, AP _2, and AP _3 are generated by the enterprises 415_1, 415_2, and 415_3 using the personal computers 416_1, 416_2, and 416_3 shown in fig. 64, and are downloaded to the external memory 407 through the SAM chip 408.
With the firewall FW _4, access to the AP management storage area 421a is permitted only by the administrator of the SAM chip 408.
Note that the firewalls FW _1, FW _2, FW _3 and FW _4 correspond to the firewalls FW shown in fig. 65.
The AP management storage area 421 holds module management data 421 shown in fig. 66.
Here, the AP management data 421 is used by the SAM chip 408 to manage the execution of the application programs AP _1, AP _2, and AP _ 3.
In the present embodiment, as described later, the application programs AP _1, AP _2, and AP _3 and the AP management data 421 stored in the external memory 407 are scrambled by the bus scrambling means 461 in the SAM chip 408 using the scrambling key K. When read into the SAM chip 408, they are descrambled using the scrambling key K.
SAM chip 408
Fig. 67 is a functional block diagram of the SAM chip shown in fig. 64.
As shown in fig. 67, the SAM chip 408 has an ASPS communication interface means 460, a bus scrambling means 461, a signature processing means 462, an authentication processing means 463, an encryption/decryption means 464, a memory 465, and a CPU 466.
The SAM chip 408 is a tamper-resistant module.
Here, the CPU corresponds to a data processing circuit of the present invention, and the bus scrambling device 461 corresponds to a data input/output circuit of the present invention.
Further, the SAM chip 408 corresponds to a semiconductor circuit of the present invention, and the external memory 407 corresponds to a semiconductor memory circuit of the present invention.
The ASPS communication interface means 460 is an interface for inputting and outputting data with respect to the ASP server 406 shown in fig. 64.
The bus scrambler 461 scrambles data to be written into the external memory 407 and descrambles data read out from the external memory 407.
That is, the external memory 407 stores data in a scrambled state.
The processing of the bus scrambling device 461 will be described in detail later.
As described later, the signature processing means 462 generates a signature and verifies the signature when an application is downloaded via the internet 410 and when the application is executed.
As described later, when the application program is downloaded to the external memory 407 via the internet 410, the authentication processing apparatus 463 performs mutual authentication with the other party.
The encryption/decryption device 464 encrypts data and decrypts encrypted data.
The memory 465 holds data necessary for the processing of the CPU 466.
At the time of accessing the external memory 407 through the bus scramble apparatus 461, the CPU 466 executes the application programs AP _1, AP _2, and AP _3, and executes various processes corresponding to the services of the SAM chip 408.
The processing of the bus scrambling means 461 will be described in detail below.
Note that, in the present embodiment, the case where the bus scrambling device 461 is used when accessing an external bus is exemplified, but the bus scrambling device 461 may be applied also in the case where data is input/output to/from the outside by another SAM chip 408 through an I/O bus or the like.
The bus scrambling device 461 encrypts data input from the CPU 466 with a predetermined scrambling key K, and then writes it to the external memory 407 through the bus 419.
Further, the bus scrambling device 461 decrypts the data read from the external memory 407 through the bus 419 with the scrambling key K, and outputs it to the CPU 466.
[ Address space ]
The encryption block length of the encryption algorithm used by the bus scrambler 461 is Nc, and the data bus width of the bus 419 is Nb. In the following example, consider the case where Nc is an integer multiple of Nb, i.e., an integer n (═ Nc/Nb).
Note that due to the addition of the parity and the address scrambling, the address space of the CPU 466 (address space in the SAM chip 408) and the address space used when the bus scrambling means 461 accesses the external memory 407 (hereinafter also referred to as "external memory address space") are different.
Then, as shown in fig. 68, the bus scrambling means 461 converts an address CPU _ ADR (first address of the present invention) input from the CPU 466 into an address MEM _ ADR (second address of the present invention) of the external memory address space by using a predetermined mapping f (address conversion algorithm). The bus scrambling means 461 accesses the external memory 407 using the address MEM _ ADR.
As shown in fig. 69, the mapping f is defined only when the address a1 (address CPU _ ADR) is "a 1modNc/Nb ═ 0". For another address a2, the external memory 407 is accessed with f (a2- (a2 modNc/Nb)).
Here, "x mod y" is the remainder after x is divided by y.
That is, the bus scrambling device 461 reads and writes data with respect to the external memory 407 in units of the encryption block length Nc.
Here, when Nc/Nb is n, and the minimum integer of n or more (n or more) is m, the bus scrambling device 461 performs a transaction (data input/output transaction of the present invention) accessing the external memory 407 through the bus 419 in units of m transactions.
[ Structure of bus Scramble device 461 ]
Fig. 70 is a functional block diagram of a bus scrambling device 461.
As shown in fig. 70, the bus scrambling means 461 has an encryption means 431, a decryption means 432, an address management means 433, a scrambling key management means 434, a parity processing means 435, a pipeline processing control means 436, a work memory 437, and a controller 438.
The encryption device 431 encrypts the data input from the CPU 466 with a predetermined scrambling key K.
The decryption device 432 decrypts the data read from the external memory 407 with a predetermined scrambling key K.
As described above, the address management means 433 converts the address CPU _ ADR input from the CPU 466 into the address MEM _ ADR.
The scrambling key management means 434 manages the scrambling keys K used at the encryption means 431 and the decryption means 432, and appropriately exchanges the scrambling keys K.
The parity device 435 adds parity data to be written to the external memory 407 and verifies the parity data added to the data read from the external memory 407.
The pipeline processing control device 436 divides the processing of the bus scrambling device 461 into several stages, and controls the system to pipeline the processing in units of stages.
The work memory 437 is used for processing by the bus scrambling device 461.
The controller 438 comprehensively controls the processing of the bus scrambling device 461.
[ write operation to the external memory 407 ]
Fig. 71 illustrates the operation of the bus scrambling device 461 when the CPU 466 shown in fig. 67 writes data to the external memory 407.
Fig. 72 is a flowchart illustrating the operation shown in fig. 71.
Step ST 401:
the CPU 466 outputs the DATA to be written, i.e., "d 32", and the address CPU _ ADR, i.e., "a 3", to the bus scrambling device 461.
The data "d 32" is written in the work memory 437 of the bus scrambling device 461 shown in fig. 70.
Step ST 402:
when Nc > Nb, the address management device 433 shown in fig. 70 looks up the mapping f (a3- (a3mod Nc/Nb)) using the address "a 3", maps f (a3-1), and uses the mapping f (a3-1) as the address MEM _ ADR of the external memory address space.
Step ST 403:
the controller 438 shown in fig. 70 reads the encrypted data block e ({ X1, X2}) from the external memory 407 using the address MEM _ ADR f (a3-1) obtained at step ST402 and writes it to the work memory 437.
Step ST 404:
the decryption device 432 shown in fig. 70 decrypts the data block e ({ X1, X2}) read from the work memory 437, resulting in a data block { X1, X2 }. Further, the parity processing means 435 uses the parity data added to the data block e ({ X1, X2}) for parity processing, and then writes the data block { X1, X2} again to the working memory 437.
Step ST 405:
the controller 438 rewrites the address "a 3" in the data block { X1, X2} corresponding to the address read from the working memory 437, and "X2" which has been decrypted to the write data "d 32", so as to generate the data block { X1, d32}, and write it to the working memory 437.
Step ST 406:
the parity processing means 435 generates parity data for the data block { X1, d32 }.
Step ST 407:
the encryption device 431 encrypts the data block { X1, d32} read from the working memory 437 with the scrambling key K.
Step ST 408:
the controller 438 writes the data block { X1, d32} at the address MEM _ ADR f (a3-1) of the external memory 407, and writes the parity data generated at step ST406 in a predetermined area of the external memory 407.
Note that before encrypting the data block in step ST407, the controller 438 determines whether the address input next from the CPU 466 is "a 3-1". If "a 3-1," the data block X1 is overwritten with the write data, then encrypted and written to external memory 407.
Thereby, the number of steps in the case of writing to consecutive addresses can be reduced.
Further, even when data of data length Nb is written to the external memory 407, the controller 438 pads the data with data of data length (Nc-Nb) to obtain data of data length Nc, then encrypts it, and writes it to the external memory 407.
That is, the memory area of data length Nc in the external memory 407 is evenly allocated to the data of data length Nb.
[ reading from the external memory 407 ]
Fig. 73 illustrates a read operation from the external memory 407 to the bus scrambling device.
Fig. 74 is a flowchart illustrating the read operation.
Step ST 411:
the CPU 466 outputs an address CPU _ ADR to be read to the bus scrambling device 461.
Step ST 412:
when Nc > Nb, the address management device 433 shown in fig. 70 looks up the mapping f (a3- (a3mod Nc/Nb)), i.e., the mapping f (a3-1), using the address "a 3", and uses the mapping f (a3-1) as the address MEM _ ADR of the external memory address space.
Step ST 413:
the CPU 466 shown in fig. 67 reads the encrypted (scrambled) data block e ({ d31, d32}) from the external memory 407 using the address MEM _ ADR f (a3-1) obtained at step ST402 and writes it to the work memory 437.
Step ST 414:
the decryption device 432 shown in fig. 70 decrypts the data block e ({ d31, d32}) read from the working memory 437, resulting in { d31, d32 }. Further, the parity processing means 435 uses the parity data added to the data block e ({ d31, d32}) for parity processing, and then writes the data block { d31, d32} again to the working memory 437.
Step ST 415:
the controller 438 takes out the data "d 32" corresponding to the CPU _ ADR "a 3" in the data block { d31, d32} read from the work memory 437 and having been decrypted, and outputs it to the CPU 466.
That is, the controller 438 takes out the "(a 3 mod Nc/Nb) + 1" th data in the data block and outputs it to the CPU 466.
[ management of scrambling Key ]
The scrambling key management means 434 shown in fig. 70 manages scrambling keys used in the encryption means 431 and the decryption means 432 as follows.
The scrambling key management means 434 may use a different key for each address in the external memory 407. Thus, several scrambling keys must be maintained. An example of a method of storing several scrambling keys is shown below.
As shown in fig. 75, the scrambling key management device 434 holds several scrambling keys K1, K2, and K3. It exchanges a key used according to an address from the CPU 466 and outputs it to the encryption device 431 and the decryption device 432.
Specifically, it uses the scrambling key K1 when accessing the address "a 1", it uses the scrambling key K2 when accessing the address "a 2", and it uses the scrambling key K3 when accessing the address "a 3".
Further, as shown in fig. 76, the calculation circuit 434a in the scrambling key management device 434 performs processing using the key Ks forming the category and the address input from the CPU 466, and outputs the calculation result as the scrambling key K to the encryption device 431 and the decryption device 432.
The calculation may include encrypting or decrypting the padding address number with Ks, resulting in an exclusive or (XOR), or other calculation.
Further, the bus scrambling means 461 may hold the scrambling key at a predetermined position of the bus, and input the scrambling key corresponding to the address issued by the CPU 466 through the bus. In this case, since the data bus for transmitting the scrambling key is the same as the bus of the bus scrambler, it must be controlled by the memory controller. The place to hold the scrambling key may be anywhere inside or outside the SAM chip 408, but if outside the chip, in order to ensure the security of the path to the chip, the scrambling key is encrypted by the transport key and decrypted when it reaches the bus scrambling means 461. The bus scrambling means 461 holds the transfer key in the form of hardware or software.
However, in the bus scrambling device 461, even if the scrambling key is changed for each address input from the CPU 466, if a certain address is continuously accessed, the possibility that the disorder of the address area is analyzed increases by taking a certain time. The scrambling key is then not a constant scrambling key. This is made variable by the techniques described below.
For example, when the SAM chip 408 or the like is powered on, the scrambling key management means 434 causes a random number to be generated so as to generate a scrambling key. Essentially the scrambling key only needs to be known by the bus scrambler and therefore no problems like key transmission, synchronization etc. arise.
Further, the scrambling key management means 434 exchanges a scrambling key for each access to the external memory 407. In this case, the key for encrypting the data already present in the external memory 407 and the currently held key must be different.
Then, the scrambling key is updated as shown in fig. 77 and fig. 78, for example.
[1]: the encryption device 431 inputs data "d 3" from the CPU 466, and the bus scrambling device 461 inputs an address "a 1" from the CPU 466.
[2]: the bus scrambler 461 accesses the address "f (a 1)" of the external memory 407.
[3]: data "e ({ d1, d2 })" is read from the address "f (a 1)" of the external memory 407 into the decryption device 432.
[4]: the decryption apparatus 432 decrypts data "e ({ d1, d2 })" to generate data "{ d1, d2 }".
At this time, the scrambling key management device 434 selects the scrambling key K1, and the decryption device 432 decrypts using the scrambling key K1.
Further, overwriting is performed by the data "d 3", resulting in data "{ d3, d2 }".
[5]: the bus scrambling device 461 changes the scrambling key from K1 to K2. The scrambling keys K1 and K2 are timer values, values held at respective addresses, or values generated by random number generation or other techniques.
[6]: the encryption device 431 encrypts the rewritten data "{ d3, d2 }" with the changed scrambling key K2, and generates data "e ({ d3, d2 })".
[7]: data "e ({ d3, d2 })" is written at address "f (a 1)" of the external memory 407.
[ parity processing by parity processing device 435 ]
When writing data to the external memory 407, the parity processing means calculates parity data of the data in advance before encryption, and writes the parity data to the external memory 407 together with the encrypted data.
Thus, when some kind of physical problem occurs in the external memory 407, data is falsified, or the like, it is detected at the time of reading, and the program can be executed more safely.
Further, since the parity data is added, even if the length of the plain text and the length of the encrypted text are the same, the address space of the CPU 466 and the address space of the external memory 407 never completely coincide. This is because when data "d 1" is written at the address "a 1" at the same time as writing the Nc section at f (a1), parity data "p 1" (size Np) of the data "d 1" must be written somewhere in the external memory 407. In the following case, the parity data is stored in an arbitrary storage area in the external memory 407.
The parity data is immediately placed after the data obtained by encrypting the corresponding plain text. Thus, the bus scrambler 461 reads data "e (d 1)" from the address "fa (1)" of the external memory 407, and subsequently reads parity data "p 1" from the address "f (a1) + Nc/Nb". Thus, the bus scrambling means 461 does not have to perform any special calculations other than the mapping f of addresses.
In addition, the external memory 407 has previously obtained therein a memory area dedicated to parity data. Parity data "p 1" is written into the dedicated storage area. In this case, bus scrambling device 461 must process according to parity address mapping fp. The parity data "p 1" is written to the address "fp (a 1)" in the external memory 407.
When the parity processing means 435 detects a parity error, it suspends the processing of the CPU466 or the like to prevent illegal processing of data or programs. Note that the contents of the parity check processing are not particularly limited.
Pipeline processing of pipeline processing control line 436
In the present embodiment, under the control of the pipeline processing controller 436, the processing of the bus scrambler 461 is divided into several stages, and a pipeline is formed in units of stages, whereby the access time to the external memory 407 observed by the CPU466 can be shortened.
That is, when not pipelined, one memory access from the CPU466 to the external memory 407 requires at least the time required to process one encrypted block.
For example, if the processing performed by the bus scrambling device 461 is pipelined for the read instruction of the data of the address "a 1" issued by the CPU466, when the CPU466 successively requests the data of higher addresses from the address "a 1" in accordance with the program code or the like, if the bus scrambling device 461 reads the data of the address "f (a1+ Nc/Nb)" following the address "f (a 1)" in advance, the overhead of the encryption and decryption processing can be eliminated.
For example, if a case is considered in which the time of memory access is ignored, encryption of respective data is performed in three cycles (rounds) like triple DES, one encryption cycle requires one clock pulse, and Nc/Nb ═ 1, the CPU466 issues instructions specifying addresses "a 1", "a 1+ 1", and "a 1+ 2" so as to successively read data from the external memory 407.
At this point, three rounds of decryption are necessary and three clock pulses are required to decrypt each data.
If no pipeline processing is performed, as shown in fig. 79A, the CPU 466 issues three clock pulses after the first read instruction, the data "e 3(d 1)" read from the external memory 407 with the address "a 1" is decrypted three times, obtaining the data "d 1", and the data "d 1" is then input to the CPU 466. Subsequently, after another three clock pulses, the data "e 3(d 2)" read from the external memory 407 with the address "a 1+ 1" is decrypted three times, obtaining the data "d 2" which is then input to the CPU 466. Thereafter, after another three clock pulses, the data "e 3(d 3)" read from the external memory 407 with the address "a 1+ 2" is decrypted three times, obtaining the data "d 3" which is then input to the CPU 466.
That is, the data "d 1", "d 2", and "d 3" are input to the CPU 466 at nine clock pulses after the CPU 466 issues the first read instruction.
In contrast, in the present embodiment, the pipeline processing controller 436 converts the decryption process of the decryption device 432 into a three-stage pipeline process as shown in fig. 79B by regarding each cycle as one stage.
Thus, on the other hand, although three clock pulses are used to input the data corresponding to the address "a 1" to the CPU 466 from the time the CPU 466 issues a read instruction for the first time, the data corresponding to the addresses "a 1+ 1" and "a 1+ 2" are sequentially input to the CPU 466 every clock pulse thereafter.
Thus, five clock pulses after the CPU 466 issues the read instruction for the first time, all of the data "d 1", "d 2", and "d 3" are input to the CPU 466.
Note that when the CPU 466 requests data at address "a 2" which is further from address "a 1" after "a 1", the data on the pipeline is discarded, and the data at addresses "a 2", "a 2+ 1" … are packed in the pipeline.
[ Address scrambling by the Address management device 433 ]
When the SAM chip 408 repeatedly accesses a specific continuous address area in the external memory 407, it can be predicted to some extent that the continuous address area is a subroutine or an array. In the case of arrays or other data, it is easy for an attacker to obtain useful (critical to the operator) data by intensively attacking the contiguous address area.
To avoid this, in the present embodiment, the address bus between the CPU 466 and the SAM chip 408 passes through the bus scrambling means 461, and the address management means 433 is made to scramble the address, so that access to the continuous area in the external memory 407 can be prevented. This scrambling corresponds to the mapping f mentioned above. If the address is not scrambled, the mapping f becomes a mapping of only an area guaranteed for parity data. For example, " α ∈ [ CPU address space ], f (a) ═ 1+ p) a". Here, p is the resizing of the parity data.
The overall operation of the communication system 401 shown in fig. 64 will be described below.
Fig. 80 illustrates the overall operation of the communication system 401 shown in fig. 64.
Step ST 431:
enterprises 415_1-415_3 or a party requested by the enterprises generate application programs AP _1, AP _2, and AP _3 for processing of transactions performed by the enterprises using the IC card 403 on personal computers 416_1, 416_2, and 416_3 shown in fig. 64.
Further, the administrator of the SAM chip 408 generates AP management data 421, scrambles it, and stores it in the external memory 407.
Step ST 432:
the application programs AP _1, AP _2, and AP _3 are downloaded from the personal computers 416_1, 416_2, and 416_3 to the SAM chip 408 through the authentication means 417_1, 417_2, and 417_ 3.
Step ST 433:
the user is issued to the IC card 403.
The IC of the IC card 403 holds key information for transactions agreed upon by the user and the enterprise.
Note that after the IC card 403 is issued, the contract between the user and the enterprise may also be concluded through the internet 410 or the like.
Step ST 434:
for example, when a user attempts to purchase a product by accessing the server 402 using the personal computer 405 through the internet 410, the server 402 issues a processing request to the ASP server 406 through the internet 410.
When the ASP server 406 receives a processing request from the server 402, it accesses the personal computer 405 through the internet 410. Further, a processing request relating to the IC card 403 issued from the reader/writer 404 is transmitted to the SAM chip 408 through the personal computer 405, the internet 410, and the ASP server 406.
Step ST 435:
the SAM chip 408 selects an application program according to the processing request received at step ST434 and executes the selected application program.
In the execution of the application program, the SAM chip 408 and the external memory 407 communicate according to the processing of the bus scrambling means 461 mentioned above.
Step ST 436:
the SAM chip 408 outputs the execution result of the application program to the ASP server 406.
Fig. 81 is a functional block diagram showing functional blocks of the SAM chip 408 shown in fig. 67 in more detail.
As shown in fig. 81, the SAM chip 408 is connected to the card I/F device 491, the ASP communication interface device 460, the bus scramble device 461, the encryption/decryption device 465, the memory 463 and the CPU 466 through an internal bus 490.
Part of the functions of the signature processing means 462 and the verification processing means 463 shown in fig. 67 are realized by the CPU 466.
As shown in fig. 82, the SAM chip 408 shown in fig. 81 may connect the card I/F device 491 connected to the internal bus 490 and an RF receiving/transmitting device 492 located outside the SAM chip 408, and transmit data with respect to the IC card 203 via a contactless system through an antenna 492a of the RF receiving/transmitting device 492.
As described above, according to the communication system 401, by giving the above-described function to the bus scrambling means 461 in the SAM chip 408, the following effects are obtained.
That is, according to the communication system 401, confidential data relating to processing using the IC card 403 can be securely stored in the external memory 407.
Further, according to the communication system 401, by pipelining the processing of the bus scramble apparatus 461, the SAM chip 408 can access the external memory 407 at high speed.
Further, according to the communication system 401, by providing the bus scrambler 461 with a parity function, it is possible to improve the reliability of data read from the external memory 407.
Sixth embodiment
This embodiment is an embodiment corresponding to the 19 th aspect of the present invention.
[ correlation technique of the present example ]
First, a computer for executing a transaction business program using an IC card according to the related art of the present invention will be described.
Fig. 83 is a functional block diagram of a computer 501 for use in electronic settlement of the related art of the present invention.
As shown in fig. 83, the computer 501 has a CPU 502, a memory 503, and a communication circuit 504.
The CPU 502, memory 503, and communication circuit 504 are connected to a CPU data bus 506.
The CPU 502 and the communication circuit 504 are connected to a CPU address bus 507.
The CPU 502 comprehensively controls the operation of the computer 501, operates according to instructions of a program stored in the memory 503, and accesses the memory 503 during its operation.
The communication circuit 504 communicates with the IC card 508 through a contact system or a noncontact system. In the case of the contact type, the IC card 508 and the communication circuit 504 are connected by electrical contacts. Further, in the case of the noncontact type, the IC card 508 and the communication circuit 504 are connected by electromagnetic waves, light, or the like.
Data received from the IC card 508 through the communication circuit 504 is processed by the CPU 502 in accordance with a program stored in the memory 503. Further, data obtained by the processing of the CPU 502 is transmitted to the IC card 508 through the communication circuit 504.
Further, the CPU 502 writes the settlement result generated by the communication with the IC card 508 in the memory 503.
Fig. 84 illustrates a software configuration of the CPU 502 shown in fig. 83.
In fig. 84, the lowest layer is a hardware layer, i.e., a hardware component of the CPU 502 shown in fig. 83.
Above the hardware layer is a communication driver layer. The communication driver layer has a communication driver layer disposed therein that controls a communication circuit 504 connected to the CPU 502. The program of the communication driver layer is typically stored in a non-volatile memory.
Above the communication driver layer is an Operating System (OS) layer that provides programs that form the basis of the operation of the CPU 502. The OS layer provides higher conceptual services to the highest Application (AP) layer than the following layers. Examples thereof include, for example, functions "get card type ()", "read card data ()" and "write card data ()" described later.
Further, on the OS layer is an AP layer that determines a specific function (service) implemented by the computer 501. The AP layer has applications MAIN, AP _1, AP _2, and AP _ 3.
In this embodiment, the preparation of settlement or other transactions using the IC card 508 will be exemplified in the form of an application.
For example, in the OS layer and the AP layer, a function for determining the IC card type 508 is defined by "getcard type ()".
In the OS layer and the AP layer, the type of the IC card 508 can be determined by calling the function. For example, assume that there are three types of IC cards 508, i.e., types A, B and C. The return value of the function with respect to the IC card 508 is defined as shown in fig. 85.
For example, assuming that the type B IC card 508 is used, the return value of the execution result of the function "get card type ()" becomes "2".
Further, in the OS layer and the AP layer, "read data (xrp)" is defined as a function of reading data from the internal memory of the IC card 508.
Here, "'rp" is similar in concept to a pointer in the C language, indicates that the following variable is a pointer variable, and' rp "indicates a specific position in the internal memory of the IC card 508. When ". rp" is displayed, this indicates the content of "rp address" in the memory of the IC card 508. Now, assume that the internal memory holds data as shown in fig. 86.
Further, if "rp" is assumed to be 102H, "the return value of the function" read data (rp) "becomes" 56H, "and the data at the" 102H address "can be read.
Further, in the OS layer and the AP layer, "write data (wpp, wdata)" is defined as a function of writing data at a specific address of the internal memory of the IC card 508. Here, "# wp" is similar in concept to a pointer in the language C, indicating that the following variable is a pointer variable, and "wp" indicates a specific address of the internal memory of the IC card 508. When ". fw" is displayed, the contents of the wp address of the internal memory of the IC card 508 are indicated. "wdata" is a variable in the write data. Now, assume that the memory of the IC card 508 holds data as shown in fig. 87. Here, if "wp ═ 102H" and "wdata ═ 73H", and the function "write data (× wp, wdata)" is executed, the data of the "102H address" of the memory is rewritten to "73H", as shown in fig. 87.
The application programs AP _1, AP _2, and AP _3 shown in fig. 84 determine the processing of transactions relating to different types of IC cards 508. The correspondence relationship is shown in fig. 88.
In fig. 84, the application program MAIN is executed for the first time when the computer 501 is started. The application MAIN determines the type of the IC card 508 used using the above-mentioned function "get card type ()". The CPU 502 selects and executes a corresponding application program in accordance with the type of the IC card 508 determined from the correspondence table shown in fig. 88.
If imagine a case where the class a, class B, and class C IC cards 508 are used by different enterprises, the application programs AP1, AP2, and AP3 are produced by a single enterprise. Further, the storage area of the internal memory of the IC card 508 is shared by the application programs AP1, AP2, and AP 3. Applications use partitions that have been previously assigned to them.
As described above, the application programs AP1, AP2, and AP3 are generated by a single enterprise, but there is an error in the programs at the time of viewing, an application program of another enterprise is maliciously read by an enterprise using an illegal program of the enterprise, or a storage area in the IC card 508 that is not allowed to be accessed is illegally accessed.
[ examples of the invention ]
Fig. 89 is a structural view of a computer 551 according to an embodiment of the present invention.
As shown in fig. 89, the computer 551 has a CPU 552, a memory 553, a communication circuit 504, a judgment circuit 560, and a switch circuit 561.
Here, the CPU 552 corresponds to a calculation circuit of the present invention, the memory 553 corresponds to a storage circuit of the present invention, the communication circuit 504 corresponds to a communication circuit of the present invention, the judgment circuit 560 corresponds to a connection control circuit of the present invention, and the switch circuit 561 corresponds to a connection switch circuit of the present invention.
The CPU data bus 506 connects the CPU 552, the switch circuit 561, the judgment circuit 560, and the communication circuit 504 thereto.
The CPU data bus 506 corresponds to a transmission line of the present invention.
Further, the switch circuit 561 is connected to the memory 553 through a memory data bus 562.
Further, the CPU address bus 507 connects the memory 553, the judgment circuit 560, and the communication circuit 504 thereto.
When the CPU 552 accesses the memory 553 or a peripheral device other than the computer 551, the CPU address bus 507 transfers the CPU _ ADR representing an address.
In fig. 89, the communication circuit 504 and the IC card 508 given the same reference numerals as in fig. 83 are the same as those described in fig. 83.
Further, the CPU 552 has the same software configuration as described above with reference to fig. 84. That is, a program that determines the processing of transactions relating to the three types of IC cards 508, i.e., class a, class B, and class C is used as the application programs AP1, AP2, and AP 3.
Data received from the IC card 508 through the communication circuit 504 is processed by the CPU 552 in accordance with a program stored in the memory 553. Further, data obtained by the processing of the CPU 552 is transmitted to the IC card 508 through the communication circuit 504.
Further, the CPU 552 writes the settlement result generated by communication with the IC card 508 in the memory 553.
The switch circuit 561 switches the CPU data bus 506 and the memory data bus 562 between a connected state and a disconnected state in accordance with a determination result signal S560 (a control signal of the present invention) from the determination circuit 560.
Further, the CPU 552 executes instructions (codes) of the program, the program MAIN, and the application programs AP1, AP2, and AP3 of the OS layer shown in fig. 84, which are fetched (read out) from the memory 553.
The CPU 552 generates an instruction type specification signal S552a, executes an AP specification signal S552b, is called an AP specification signal S552c (if necessary), and outputs these signals to the judgment circuit 560 according to the execution of these instructions.
Here, the instruction type specification signal S552a is a signal indicating which instruction of a fetch instruction, a read instruction, and a write instruction is executed by the CPU 552.
Here, the fetch instruction is an instruction for the CPU 552 to fetch an instruction code through the CPU data bus 506.
The read instruction is an instruction for the CPU 552 to read data through the CPU data bus 506.
The write instruction is an instruction for the CPU 552 to write data through the CPU data bus 506.
Further, the execution AP specification signal S552b is a signal indicating to which program an instruction being executed by the CPU 552 belongs among the instructions of the application programs AP1, AP2, AP3, and MAIN and OS programs shown in fig. 84.
When a program module being executed by the CPU 552 calls another program module, the called AP caption signal S552c indicates to which of the application programs AP1, AP2, AP3, and MAIN and OS programs the program module of the call destination belongs.
Further, when the switch circuit 561 enters a disconnected state as described later, the CPU 552 suspends the CPU data bus 506 and its operation.
The determination circuit 560 is described in detail below.
The judgment circuit 560 generates a judgment result signal S560 based on the instruction type specification signal S552a and the execution AP specification signal S552b input from the CPU 552 and the address CPU ADR input from the CPU 552 through the CPU address bus 507, and outputs the judgment result signal S560 to the switch circuit 561.
Fig. 90 is a structural view of the judgment circuit shown in fig. 89.
As shown in fig. 90, the determination circuit 560 has a selection circuit 570, a fetch determination circuit 571, a read determination circuit 572, and a write determination circuit 573.
The selection circuit 570 connects the switch 574 and one of the terminals 575_1, 575_2, and 575_3 in accordance with an instruction type specification signal S552a input from the CPU 552 shown in fig. 89.
Specifically, when the instruction type specification signal S552a indicates that an instruction is taken out, the selection circuit 570 connects the switch 574b and the terminal 575_ 1.
Thus, the extraction determination result signal S571 output from the extraction determination circuit 571 is output from the determination circuit 560 to the switch circuit 561 through the terminal 575_1 and the switch 574 as the determination result signal S560.
Further, when the instruction type specification signal S552a indicates a read instruction, the selection circuit 570 connects the switch 574 and the terminal 5752.
Thus, the read determination result signal S572 output from the read determination circuit 572 is output from the determination circuit 560 to the switch circuit 561 through the terminal 575_2 and the switch 574 in the form of the determination result signal S560.
Further, when the instruction type specification signal S552a indicates a write instruction, the selection circuit 570 connects the switch 574 and the terminal 575_ 3.
Thus, the write determination result signal S573 output from the write determination circuit 573 is output from the determination circuit 560 to the switch circuit 561 through the terminal 575_3 and the switch 574 in the form of the determination result signal S560.
The fetch judgment circuit 571 generates a fetch judgment result signal S571 using the executing AP specification signal S552b, the called AP specification signal S552c, and the address CPU _ ADR input from the CPU 552, and outputs it to the terminal 575_1 of the selection circuit 570.
Fig. 91 is a structural view of the take-out judgment circuit 571 shown in fig. 90.
As shown in fig. 91, the fetch determination circuit 571 has a memory 581_1 and a determination device 582_ 1.
The memory 581_1 stores fetch range definition data 584_1 and fetch inter-AP call relationship definition data 58.
The fetch range definition data 584_1 defines addresses accessible in the memory 553 when the CPU 552 executes a fetch instruction, for each case where the CPU 552 is executing an OS-layer program and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84.
Fig. 92 illustrates the fetch range specifying data 584_ 1.
The column (vertical) direction in fig. 92 represents the programs of the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84.
"FROM" in the row (horizontal) direction represents a start address of a memory area in the memory 553 which allows storing the program of the corresponding column.
The "FROM" in the row direction indicates the start address of the address range of the program that is allowed to access the corresponding column in the memory 553.
"TO" in the row direction indicates an end address of an address range of the program which is allowed TO access the corresponding column in the memory 553.
For example, application AP1 is allowed to access a range of addresses "2000H" - "2 FFFH" of memory 553.
When the CPU 552 executes a fetch instruction, fetch inter-AP call relation restriction data 585_1 indicates a combination of programs from which a call is issued or to which a called program module belongs when a certain program module is called.
Fig. 93 illustrates fetching inter-AP call relation restriction data 585_ 1.
The column direction of fig. 93 represents the programs of the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84.
The row direction of fig. 93 represents programs of the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84.
The intersection of the rows and columns indicates whether the program modules of the programs of the respective column are allowed to call the program modules of the programs of the respective row. "o" indicates permission to invoke. And "x" indicates that the call is not permitted.
For example, the program modules of the application AP1 are allowed to call the program modules of the OS program, MAIN, and the application AP3, but the program modules of the application AP2 are not allowed to be called.
The judgment means 582_1 judges whether or not the address CPU _ ADR is included in the address range of the memory 553 defined by "FROM" and "TO" of the column shown in fig. 92 corresponding TO the program indicated by the execution AP specification signal S552b, based on the execution AP specification signal S552b and the address CPU _ ADR input FROM the CPU 552 shown in fig. 89 and the fetch range restriction data 584_1 read FROM the memory 581_ 1.
When judging that the address is included in the address range, the judgment means 582_1 generates a take-out judgment result signal S57_1 indicating connection, and outputs the signal to the terminal 575_1 of the selection circuit 570 shown in fig. 90.
On the other hand, when it is judged that the address is not included in the address range, the judgment means 582_1 generates a take-out judgment result signal S57_1 indicating disconnection, and outputs the signal to the terminal 575_1 of the selection circuit 570 shown in fig. 90.
Further, when a program module of a program being executed by the CPU 552 calls a program module of another program, the judgment means 582_1 judges whether or not the call is permitted by the combination indicated by the fetch inter-AP call relationship restriction data 585_1 shown in fig. 93, based on the execution AP explanation signal S552b and the called AP explanation signal S552c input from the CPU 552 shown in fig. 89, and the fetch inter-AP call relationship restriction data 585_1 read from the memory 581_ 1.
When it is judged that the call is permitted, the judgment means 582_1 generates a take-out judgment result signal S57_1 indicating connection, and outputs the signal to the terminal 575_1 of the selection circuit 570 shown in fig. 90.
On the other hand, when it is judged that the call is not permitted, the judgment means 582_1 generates a take-out judgment result signal S571 indicating the disconnection, and outputs the signal to the terminal 575_1 of the selection circuit 570 shown in fig. 90.
The read determination circuit 572 generates a read determination result signal S572 using the execution AP instruction signal S552b input from the CPU 552, the called AP specification signal S552c, and the address CPU _ ADR, and outputs the signal to the terminal 575_2 of the selection circuit 570.
Fig. 94 is a structural view of the read determination circuit 572 shown in fig. 90.
As shown in fig. 94, the read judgment circuit 572 has a memory 581_2 and a judgment device 582_ 2.
The memory 581_2 holds read range restriction data 584_2 and read inter-AP call relationship restriction data 585_ 2.
The readout range definition data 584_2 is various cases of the CPU 552 executing programs at the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84, and determines an address accessible in the memory 553 when the CPU 552 is executing a read instruction.
Fig. 95 illustrates the read range specifying data 584_ 2.
The column (vertical) direction in fig. 95 represents the programs of the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84.
"FROM" in the row (horizontal) direction represents a start address of a memory area in the memory 553 which allows storing the program of the corresponding column.
The "FROM" in the row direction indicates the start address of the address range of the program that is allowed to access the corresponding column in the memory 553.
"TO" in the row direction indicates an end address of an address range of the program which is allowed TO access the corresponding column in the memory 553.
When the CPU 552 executes the read instruction, reading the inter-AP call relation restriction data 585_2 indicates that when a certain program module is called, a call may be issued or a combination of programs to which the program module that can be called belongs.
Fig. 96 illustrates reading of inter-AP call relation restriction data 585_ 2.
The column direction of fig. 96 represents the programs of the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84.
The row direction of fig. 96 represents the programs of the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84.
The intersection of the rows and columns indicates whether the program modules of the programs of the respective column are allowed to call the program modules of the programs of the respective row. "o" indicates permission to invoke. And "x" indicates that the call is not permitted.
The judgment means 582_2 judges whether or not the address CPU _ ADR is contained in the address range of the memory 553 defined by "FROM" and "TO" of the column shown in fig. 95 corresponding TO the program indicated by the execution AP specification signal S552b, based on the execution AP specification signal S552b and the address CPU _ ADR input FROM the CPU 552 shown in fig. 89 and the read range restriction data 584_2 read FROM the memory 581_ 2.
When judging that the address is included in the address range, the judgment means 582_2 generates a read judgment result signal S572, which explains the connection, and outputs the signal to the terminal 575_2 of the selection circuit 570 shown in fig. 90.
On the other hand, when it is judged that the address is not included in the address range, the judgment means 582_2 generates a read judgment result signal S572 that explains the disconnection, and outputs the signal to the terminal 575_2 of the selection circuit 570 shown in fig. 90.
Further, when a program module of a program being executed by the CPU 552 calls a program module of another program, the judgment means 582_2 judges whether or not the call is permitted by the combination indicated by the read inter-AP call relation restriction data 585_2 shown in fig. 96, based on the execution AP explanation signal S552b and the called AP explanation signal S552c input from the CPU 552 shown in fig. 89, and the read inter-AP call relation restriction data 585_2 read from the memory 581_ 2.
When it is judged that the call is permitted, the judgment means 582_2 generates a read judgment result signal S572 indicating connection, and outputs the signal to the terminal 575_2 of the selection circuit 570 shown in fig. 90.
On the other hand, when it is judged that the call is not permitted, the judgment means 582_2 generates the read judgment result signal S572 instructing disconnection, and outputs the signal to the terminal 575_2 of the selection circuit 570 shown in fig. 90.
The write determination circuit 573 generates a write determination result signal S573 using the execution AP instruction signal S552b input from the CPU 552, the called AP specification signal S552c and the address CPU _ ADR, and outputs the signal to the terminal 575_3 of the selection circuit 570.
Fig. 97 is a structural view of the write judging circuit shown in fig. 90.
As shown in fig. 97, the write determination circuit 573 has a memory 581_3 and a determination device 582_ 3.
The memory 581_3 holds write range definition data 584_3 and write inter-AP call relationship definition data 585_ 3.
The write range definition data 584_3 is various cases of the CPU 552 executing programs at the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84, and determines an address accessible in the memory 553 when the CPU 552 is executing a write instruction.
Fig. 98 illustrates write range specifying data 584_ 3.
The column (vertical) direction in fig. 98 represents the programs of the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84.
"FROM" in the row (horizontal) direction represents a start address of a memory area in the memory 553 which allows storing the program of the corresponding column.
The "FROM" in the row direction indicates the start address of the address range of the program that is allowed to access the corresponding column in the memory 553.
"TO" in the row direction indicates an end address of an address range of the program which is allowed TO access the corresponding column in the memory 553.
When the CPU 552 executes the read instruction, the write inter-AP call relation restriction data 585_3 indicates that when a certain program module is called, a call can be issued or a combination of programs to which the program module that can be called belongs.
Fig. 99 illustrates writing the inter-AP call relation restriction data 585_ 3.
The column direction of fig. 99 represents the programs of the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84.
The row direction of fig. 99 represents the programs of the OS layer and the application programs MAIN, AP1, AP2, and AP3 shown in fig. 84.
The intersection of the rows and columns indicates whether the program modules of the programs of the respective column are allowed to call the program modules of the programs of the respective row. "o" indicates permission to invoke. And "x" indicates that the call is not permitted.
The judgment means 582_3 judges whether or not the address CPU _ ADR is contained in the address range of the memory 553 defined by "FROM" and "TO" of the column shown in fig. 98 corresponding TO the program indicated by the execution AP specification signal S552b, based on the execution AP specification signal S552b and the address CPU _ ADR input FROM the CPU 552 shown in fig. 89 and the write range restriction data 584_3 read FROM the memory 581_ 3.
When judging that the address is contained in the address range, the judgment means 582_3 generates a write judgment result signal S573 that explains the connection, and outputs the signal to the terminal 575_3 of the selection circuit 570 shown in fig. 90.
On the other hand, when it is judged that the address is not included in the address range, the judgment means 582_3 generates a write judgment result signal S573 that explains the disconnection, and outputs the signal to the terminal 575_3 of the selection circuit 570 shown in fig. 90.
Further, when a program module of a program being executed by the CPU 552 calls a program module of another program, the judgment means 582_3 judges whether or not the call is permitted by the combination indicated by the write inter-AP call relationship restriction data 585_3 shown in fig. 99, based on the execution AP caption signal S552b and the called AP caption signal S552c input from the CPU 552 shown in fig. 89, and the write inter-AP call relationship restriction data 585_3 read from the memory 581_ 3.
When judging that the call is permitted, the judgment means 582_3 generates a write judgment result signal S573 indicating connection, and outputs the signal to the terminal 575_3 of the selection circuit 570 shown in fig. 90.
On the other hand, when it is judged that the call is not permitted, the judgment means 582_3 generates a write judgment result signal S573 indicating disconnection, and outputs the signal to the terminal 575_3 of the selection circuit 570 shown in fig. 90.
The selection circuit 570 is explained below.
The selection circuit 570 connects the switch 574 and the terminals 575_1, 575_2, and 575_3 in accordance with an instruction type specification signal S552a from the CPU 552.
Specifically, when the instruction type specification signal S552a indicates a fetch instruction, the selection circuit 570 connects the switch 574 and the terminal 575_1, and outputs a fetch determination result signal S571 to the switch circuit 561 in the form of a determination result S560. Thus, the connection/disconnection of the switch circuit 561 is controlled by the extraction determination result signal S571.
Further, when the instruction type specification signal S552a indicates a read instruction, the selection circuit 570 connects the switch 574 and the terminal 575_2, and outputs a read determination result signal S572 to the switch circuit 561 in the form of a determination result S560. Thus, the connection/disconnection of the switch circuit 561 is controlled by the read determination result signal S572.
Further, when the instruction type specification signal S552a indicates a write instruction, the selection circuit 570 connects the switch 574 and the terminal 575_3, and outputs a write determination result signal S573 to the switch circuit 561 in the form of a determination result S560. Thereby, the connection/disconnection of the switch circuit 561 is controlled by the write determination result signal S573.
An example of the operation of the computer 551 is explained below.
[ first operation example ]
An operation example when the computer 551 executes a fetch instruction in the course of executing a program module of the application program AP1 and specifies the address "2100H" of the address memory 553 is explained below.
In this case, the CPU _ ADR indicating "2100H" flows on the CPU address bus 507, and an instruction type specification signal S552a indicating a fetch instruction and an execution AP specification signal S552b indicating an AP1 are output from the CPU _552 to the judgment circuit 560.
Further, the judgment means 5821 shown in fig. 91 judges whether or not the address "2100H" is included in the address range "2000H" - "2 FFFH" of the memory 553 defined by "FROM" and "TO" corresponding TO the column of the AP1 in fig. 92, based on the execution AP specification signal S552b and the address CPU _ ADR input FROM the CPU 552, and the fetch range restriction data 5841 shown in fig. 92 read FROM the memory 581.
The judgment device 582_1 generates a take-out judgment result signal S571 indicating the connection, and outputs it to the terminal 575_1 of the selection circuit shown in fig. 90.
Further, since the instruction type specification signal S552a indicates the fetch, the selection circuit 570 connects the switch 574 and the terminal 575_ 1.
Thus, the extraction determination result signal S571 indicating the connection is output to the switch circuit 561 shown in fig. 89 in the form of the determination result signal S560 through the selection circuit 570.
Further, the switch circuit 561 puts the CPU data bus 506 and the memory data bus 562 in a connected state so as to allow the CPU 552 to access the memory 553.
Note that, in the case described above, when the address CPU _ ADR indicates "3100H", since the address is not included in the address range of "2000H" - "2 FFFH", the fetch determination result signal S571 indicating disconnection is output from the selection circuit 570 to the switch circuit 561. Thus, the switch circuit 561 puts the CPU data bus 506 and the memory data bus 562 in a disconnected state to prevent the CPU 552 from accessing the memory 553.
[ second working example ]
An operation example in the case where the program module of the application program AP2 calls the program of the application program AP1 when the computer 551 executes the read instruction will be described below.
In this case, the execution AP caption signal S552b of the display AP2 and the called AP caption signal S552c of the display AP1 are output from the CPU 552 to the read determination circuit 572.
The judgment means 582_2 of the read judgment circuit 572 checks the read inter-AP call relation restriction data 585_2 shown in fig. 96, and judges whether or not to permit the call of the AP1 from the AP 2.
Further, the judgment means 582_2 generates a read judgment result signal S572 that explains the connection, and outputs it to the terminal 575_2 of the selection circuit 570 shown in fig. 90.
Further, since the instruction type specification signal S552a indicates a read instruction, the selection circuit 570 connects the switch 574 and the terminal 575_ 2.
Thus, the read determination result signal S572, which explains the connection, is output to the switch circuit 561 shown in fig. 89 through the selection circuit 570 in the form of the determination result signal S560.
Further, the switch circuit 561 sets the CPU data bus 506 and the memory data bus 562 to a connected state, so that the CPU 552 can access the memory 553.
On the other hand, in the above case, when the program module of the application program AP2 calls the program of the application program AP3, it is judged that the call from the AP2 to the AP3 is not permitted according to the read inter-AP call relation restriction data 585_2 shown in fig. 96.
Further, the judgment means 582_2 generates a read judgment result signal S572 that explains the disconnection, and outputs it to the terminal 575_2 of the selection circuit 570 shown in fig. 90.
Thus, the reading determination result signal S572, which explains the disconnection, is output to the switch circuit 561 shown in fig. 89 through the selection circuit 570 in the form of the determination result signal S560.
Further, the switch circuit 561 sets the CPU data bus 506 and the memory data bus 562 to a disconnected state to prevent the CPU 552 from accessing the memory 553.
As described above, according to the program executed by the CPU 552, the judgment circuit 560 and the switch circuit 561 determine the connection state between the memory 553 and the CPU data bus 506 based on the data determined in advance in accordance with the respective programs.
Thus, an application being executed by the CPU 552 can be prevented from illegally accessing instructions and data of another application held in the memory 553, and high security can be obtained between the respective applications even when the CPU 552 is executing several applications.
The present invention is not limited to the above-described embodiments.
For example, in the embodiment described above, the case where the judgment circuit 560 holds the fetch range restriction data 584_1, the fetch inter-AP call relationship restriction data 585_1, the read range restriction data 5842, the read inter-AP call relationship restriction data 585_2, the write range restriction data 584_3, and the write inter-AP call relationship restriction data 585_3 is exemplified, but as shown in fig. 100, such data may also be held encrypted with the key information K using the IC card 558.
In this case, the judgment circuit 560 holds the key information K and the decryption program 590, accesses the IC card 558 through the CPU 506 and the communication circuit 504, reads the fetch range restriction data 584_1, the fetch inter-AP call relationship restriction data 585_1, the read range restriction data 584_2, the read inter-AP call relationship restriction data 585_2, the write range restriction data 584_3, and the write inter-AP call relationship restriction data 585_3 from the IC card 558, and uses the fetch range restriction data 584_1, the fetch inter-AP call relationship restriction data 585_1, the read range restriction data 584_2, the read inter-AP call relationship restriction data 585_2, the write range restriction data 584_3, and the write inter-AP call relationship restriction data 585_3 decrypted by using the predetermined decryption program 590 and the key information K.
Further, the present invention may encrypt and store the above decryption program in the IC card 558, read the decryption program into the judgment circuit 560 through the communication circuit 504 and the CPU data bus 506, decrypt it with predetermined key information by the judgment circuit 560, store the decrypted decryption program in the memory 553, and cause the judgment circuit 560 to read and execute the decryption program from the memory 553.
Further, in the above-described embodiment, the case where the CPU 552 outputs the execution AP explanation signal S552b and the called AP explanation signal S552c to the judgment circuit 560 is shown, but these signals may be generated by the judgment circuit 560 monitoring the CPU address bus 507 as shown in fig. 101.
Seventh embodiment
This embodiment is an embodiment corresponding to the 20 th to 21 st aspects of the present invention.
Fig. 102 is a structural view of a semiconductor chip 631 of the embodiment of the present invention.
As shown in fig. 102, the semiconductor chip 631 has an internal memory 632, a switch circuit 633, a switch circuit 634, a judgment circuit 635, a selection circuit 636, and a CPU 637.
The internal memory 632, the switch circuit 633, the switch circuit 634, the judgment circuit 635, and the CPU 637 are connected to the CPU data bus 640.
The internal memory 632, the judgment circuit 635, and the CPU 637 are connected to the address bus 641.
The internal memory 632, the judgment circuit 635, and the CPU 637 are connected to the signal line 642.
The internal memory 632 is also connected to an internal data bus 643.
The switch circuit 634 is also connected to an external memory 660 via an external data bus 644.
Further, the selection circuit 636 is also connected to the debugger 661 through the external data bus 645.
Here, the semiconductor chip 631 corresponds to the semiconductor circuit of the first aspect of the present invention, the CPU data bus 640 corresponds to the first transmission line of the first semiconductor circuit, the program module PM _1 corresponds to instructions to execute the program of the first aspect of the present invention, the internal memory 632 corresponds to the storage circuit of the first aspect of the present invention, the CPU 637 corresponds to the processing circuit of the first aspect of the present invention, the switch circuit 633 corresponds to the first connection converting circuit of the first aspect of the present invention, the switch circuit 634 corresponds to the second connection converting circuit of the first aspect of the present invention, the judgment circuit 635 corresponds to the connection control circuit of the first aspect of the present invention, the selection circuit 636 corresponds to the third connection converting circuit of the first aspect of the present invention, the external memory 660 corresponds to the storage device of the first aspect of the present invention, and the debugger 661 corresponds to the external device of the first aspect of the present invention.
Further, the signal line 642 corresponds to a third transmission line of the first aspect of the present invention, and the address bus 641 corresponds to a fourth transmission line of the first aspect of the present invention.
Further, the determination result signal S635a corresponds to the first control signal of the first aspect of the present invention, the determination result signal S635b corresponds to the second control signal of the first aspect of the present invention, and the determination result signal S635c corresponds to the third control signal of the first aspect of the present invention.
Fig. 103 illustrates a software configuration of the semiconductor chip 631 shown in fig. 102.
In fig. 103, the lowest layer is a hardware layer, i.e., a hardware component of the semiconductor chip 631 shown in fig. 102.
Above the hardware layer is a communication driver layer. The communication driver layer is provided with a communication driver layer for controlling communication. The program of the communication driver layer is typically stored in a non-volatile memory.
On the communication driver layer is an Operating System (OS) layer that provides programs that constitute the basis of the operation of the semiconductor chip 631. The OS layer provides higher conceptual services to the highest Application (AP) layer than the following layers.
Further, on the OS layer is an AP layer that determines a specific function (service) realized by the semiconductor chip 63. The AP layer has application programs AP1, AP2, and AP3 implemented by program modules PM _1, PM _2, and PM _3 shown in fig. 102.
The internal memory 632 holds a program module PM _1 of the application program AP1 shown in fig. 103.
Fig. 104 illustrates the structure of the program module PM _ 1.
As shown in fig. 104, the program module PM _1 is composed of several functional modules. Fig. 104 shows a case where the program module PM _1 is composed of n function modules FM _1 to FM _ n.
As shown in fig. 104, the instructions (codes) located at the head of the respective function modules FM _1 to FM _ n are unlock instructions, and the last instructions are lock instructions.
Here, the lock instruction is an instruction to instruct the determination circuit 635 described later to keep the switch circuit 633 in a connected state until the next unlock instruction.
Further, the unlock instruction is an instruction to instruct the switch circuit 633 to shift to the off state.
The switching circuit 633 is interposed between the CPU data bus 640 and the internal data bus 643.
The switch circuit 633 becomes a connected state or a disconnected state in accordance with the determination result signal S635a input from the determination circuit 635.
Switching circuit 634 is interposed between CPU data bus 640 and external data bus 644.
The switch circuit 634 becomes a connected state or a disconnected state according to the determination result signal S635b input from the determination circuit 635.
The judgment circuit 635 monitors the address bus 641 and the signal line 642. When the address signal that the CPU 637 outputs to the address bus 641 indicates that the address of the program module PM _1 is held in the internal memory 632, and the instruction type specification signal S637a that the CPU 637 outputs to the signal line 642 indicates that an instruction is fetched, it generates a determination result signal S635a indicating connection. In other cases, it generates a determination result signal S635a indicating disconnection.
The judgment circuit 635 outputs a judgment result signal S635a to the switch circuit 633.
Further, when the judgment circuit 635 generates the judgment result signal S635a indicating connection, it generates the judgment result signal S635b indicating disconnection, and outputs it to the switch circuit 634
Further, when the judgment circuit 635 generates the judgment result signal S635a indicating disconnection, it generates a judgment result signal S635b indicating connection, and outputs it to the switch circuit 634.
Further, the judgment circuit 635 generates a judgment result signal S635c indicating invalidation/disconnection when it generates a judgment result signal S635a indicating connection, and outputs it to the selection circuit 636.
Further, when the judgment circuit 635 generates the judgment result signal S635a indicating disconnection, it generates a judgment result signal S635c indicating valid/connection, and outputs it to the selection circuit 636.
Further, in the process in which the CPU 637 executes the program module PM _1 shown in fig. 104, when a function module in the program module PM _1 is called by a branch instruction included in another function module being executed by the CPU 637, conditioned on an instruction at the head of the called function module that first starts data fetch (i.e., when a branch instruction specifying an instruction at the head of the called function module is executed), the judgment circuit 635 outputs a judgment result signal S635a indicating connection to the switch circuit 633.
As explained with reference to fig. 104, since the head of each functional module has an unlock instruction (the opening release instruction of the first aspect of the present invention) provided thereto, the judgment circuit 635 outputs a judgment result signal S635a indicating connection to the switch circuit 633 in accordance with the unlock instruction before the next lock instruction (the opening start instruction of the first aspect of the present invention) is executed. At this time, as described earlier, the determination result signal S635b indicating disconnection is sent to the switch circuit 634, and the determination result signal S635c indicating invalidation/disconnection is sent to the selection circuit 636, so that the debugger 661 is unlikely to temporarily stop the operation of the CPU637 or to acquire CPU internal state information from the CPU 637. Thus, the function modules FM _1 to FM _ n shown in fig. 104 cannot be accessed from the program modules PM _2 and PM _3 existing in the external memory 660 or the debugger 661.
Further, while the CPU637 is executing the program module PM _1 shown in fig. 104, when a function module in the program module PM _1 is called by the CPU637 executing a branch instruction contained in another function module, the judgment circuit 635 outputs a judgment result signal S635a indicating turn-off to the switch circuit 633 when an instruction other than an instruction at the head of the function module located at the call destination is fetched for the first time. Further, in this case, the determination circuit 635 suspends the operation of the CPU637 or executes predetermined error processing.
When the determination result signal S635c from the determination circuit 635 indicates invalidation/disconnection, the selection circuit 636 invalidates the HALT signal S661a (operation suspension request of the first aspect of the present invention) input from the debugger 661 and does not output it to the CPU 637. Here, the HALT signal S661a is a signal instructing to temporarily stop the operation of the CPU 637.
When the determination result signal S635c from the determination circuit 635 indicates invalidation/disconnection, the selection circuit 636 invalidates the CPU internal state read request signal S661b and the CPU internal state rewrite request signal S661c input from the debugger 661, and does not output these signals to the CPU 637.
Here, the CPU internal state read request signal S661b is a signal requesting information to display the internal state of the CPU 637.
The CPU internal state rewriting request signal S661c is a signal requesting to rewrite information showing the internal state of the CPU 637.
On the other hand, when the determination result signal S635c from the determination circuit 635 indicates valid/connected, the selection circuit 636 outputs a HALT signal S661a input from the debugger 661 to the CPU 637.
When the determination result signal S635c from the determination circuit 635 indicates valid/connected, the selection circuit 636 outputs the CPU internal state read request signal S661b and the CPU internal state rewrite request signal S661c input from the debugger 661 to the CPU 637. Further, the selection circuit 636 outputs a CPU internal state signal S637d input from the CPU 637 in accordance with the CPU internal state read request signal S661b to the debugger 661.
The CPU637 outputs an address of the internal memory 632 to the address bus 641, outputs an instruction type specification signal S637a indicating the type of instruction being executed to the signal line 642, and executes processing using instructions and data of the program module PM _1 read from the internal memory 632 via the switch circuit 633 and the CPU data bus 640, in accordance with the above signals.
Further, the CPU637 outputs an address of the external memory 660 to the address bus 641, outputs an instruction type specification signal S637a to the signal line 642, and executes processing using instructions and data of the program modules PM _2, PM _3 read from the external memory 660 via the external data bus 644, the switch circuit 634, and the CPU data bus 640, in accordance with the above signals.
When a HALT signal S661a is input from the debugger 661 through the selection circuit 636, the CPU637 stops the operation of the CPU 637.
Further, when the CPU637 receives the CPU internal state read request signal S661b input from the debugger 661 through the selection circuit 636, it outputs an internal state signal S637d including information indicating an internal state in the CPU637 specified by the signal S661b to the debugger 661 through the selection circuit 636.
Further, when the CPU637 receives the CPU internal state rewrite request signal S661c input from the debugger 661 via the selection circuit 636, it rewrites information indicating the internal state of the CPU637 with the content specified by this signal S661 c.
The debugger 661 controls the operation of the CPU 637 using the HALT signal S661a according to the debug object, monitors the operation of the CPU 637 with the internal state read request signal S661b and the internal state signal S637d, and customizes the CPU 637 with the CPU internal state rewrite request signal S661 c.
An example of the operation of the semiconductor chip 631 is explained below.
[ first operation example ]
For example, consider a case where the debugger 661 outputs one of the HALT signal S661a, the CPU internal state read request signal S661b, and the CPU internal state rewrite request signal S661c to the selection circuit 636.
In this case, when the CPU 637 accesses the internal memory 632 via the CPU data bus 640 and the switch circuit 633, that is, when the switch circuit 633 is in a connected state, the selection circuit 636 becomes in an inactive/open state due to the determination result signal S635c from the determination circuit 635, and the selection circuit 636 does not output the HALT signal S661a, the CPU internal state read request signal S661b, and the CPU internal state rewrite request signal S661c to the CPU 637.
Thus, the debugger 661 cannot access the CPU 637 nor the internal memory 632.
On the other hand, when the CPU 637 does not access the internal memory 632, that is, when the switch circuit 633 is in the off state, the selection circuit 636 becomes the active/connected state due to the determination result signal S635c from the determination circuit 635, and the selection circuit 636 outputs the HALT signal S661a, the CPU internal state read request signal S661b, and the CPU internal state rewrite request signal S661c to the CPU 637.
Thus, the debugger 661 can monitor and adjust the operation of the CPU 637 but cannot access the internal memory 632 because the switch circuit 633 is in an off state.
[ second working example ]
For example, consider the case where CPU 637 is accessing external memory 660 via switch circuit 634 and external data bus 644.
In this case, the switch circuit 634 and the selection circuit 636 become a connected state due to the determination result signals S635b and S635c from the determination circuit 635, but the switch circuit 633 becomes an open state due to the determination result signal S635 a. Thus, the internal memory 632 cannot be accessed from the external data buses 644 and 645.
As described above, in the semiconductor chip 631, when the internal memory 632 and the CPU data bus 640 are in a connected state, external access from the external data buses 644 and 645 is not allowed.
Thus, according to the semiconductor chip 631, unauthorized access to the program module PM _1 stored in the internal memory 632 from outside the semiconductor chip 631 can be reliably prevented, and the confidentiality of the program module PM _1 can be maintained.
Further, according to the semiconductor chip 631, the process of the program module PM _1 executed by the CPU 637 cannot be monitored and analyzed from the outside.
Further, according to the semiconductor chip 631, it is possible to prevent illegal access to the confidential program module PM _1 from the program modules PM _2 and PM _3 saved in the external memory 660.
Eighth embodiment
The present embodiment is an embodiment corresponding to the 20 th and 21 st aspects of the present invention.
Fig. 105 is a structural view of a semiconductor chip 6131 of an embodiment of the invention.
As shown in fig. 105, the semiconductor chip 6131 has an encryption/decryption circuit 6134, a judgment circuit 6135, a selection circuit 6136, and a CPU 6137.
The encrypt/decrypt circuit 6134 and the CPU 6137 are coupled to a CPU data bus 6140.
The judgment circuit 6135 and the CPU 6137 are connected to an address bus 6141.
The judgment circuit 6135 and the CPU 6137 are connected to a signal line 6142.
The encryption/decryption circuitry 6134 is also coupled to external storage 6160 via external data bus 6144.
Selection circuit 6136 is also coupled to debugger 6161 through external data bus 6145.
Note that the software structure shown in fig. 103 is similarly applied also in the semiconductor chip 6131.
Here, the semiconductor chip 6131 corresponds to a semiconductor chip of the second aspect of the present invention, the external data bus 6144 corresponds to a first transmission line of the first aspect of the present invention, the external memory 6160 corresponds to a storage device of the second aspect of the present invention, the program module PM _1 corresponds to instructions to execute a program of the second aspect of the present invention, the encryption/decryption circuit 6134 corresponds to an encryption/decryption circuit of the second aspect of the present invention, the judgment circuit 6135 corresponds to a control circuit of the second aspect of the present invention, the selection circuit 6136 corresponds to a selection circuit of the second aspect of the present invention, the CPU 6137 corresponds to a second calculation circuit, and the external data bus 6145 corresponds to a second transmission line of the second aspect of the present invention.
The external memory 6160 is explained first.
As shown in fig. 105, the external memory 6160 holds program modules PM _1, PM _2, and PM _ 3.
In this embodiment, a case where the program module PM _1 has confidentiality will be exemplified.
The confidential program module PM _1 is encrypted and saved in the external memory 6160. The non-confidential program modules PM _2 and PM _3 may or may not be encrypted.
Fig. 106 illustrates the structure of the program module PM _ 1.
As shown in fig. 106, the program module PM _1 is composed of several functional modules. Fig. 106 shows a case where it is composed of n function blocks FM _1 to FM _ n.
As shown in fig. 106, the headers of the function modules FM _1 to FM _ n are provided with ID number indication information indicating ID numbers. The ID number indicates that the instruction is not encrypted.
Here, the ID number is information identifying the corresponding function module. As described later, when the encryption/decryption circuit 6134 decrypts the function module, the ID number is used to determine key information for the decryption.
Further, an instruction indicating that the ID number is "# 0" (an instruction indicating that the following instruction does not use a key, i.e., is not encrypted) is set at the end of the function modules FM _1 to FM _ n.
As shown in fig. 107, the function module is encrypted in units of data blocks of a predetermined data length. The data blocks 1-n have parity data 1-n added thereto.
For example, as shown in fig. 107, the encryption/decryption circuit 6134 encrypts, in units of predetermined data blocks, the function block shown in fig. 106 of the program module PM _1 to be written in the external memory 6160.
At this time, the encryption/decryption circuit 6134 encrypts the respective function blocks with arbitrary key information, and sets an unencrypted (plaintext) ID number indication instruction (information) specifying an ID number for identifying the function module at the head of each function block as explained with fig. 106.
Further, the encryption/decryption circuit 6134 generates and holds a key information table 6190 shown in fig. 108, the key information table 6190 indicating an ID number (key specifying information of the second aspect of the present invention) specified for a function block and key information for encrypting function modules linked together.
Further, when the encryption/decryption circuit 6134 encrypts a data block, as shown in fig. 107, it generates parity data of the data block and stores the parity data linked with the corresponding data block in the external memory 6160. At this time, the encryption/decryption circuit 6134 generates parity data so that the sum of the data block and the parity data becomes a predetermined value.
Further, the encryption/decryption circuit 6134 obtains key information on the function module input from the external memory 6160 by looking at the key information table 6190 shown in fig. 108 using the ID number specified by the ID number specifying instruction located at the head of the function module as a key. Further, the encryption/decryption circuit 6134 encrypts the function block in units of the above-mentioned data block using the key information.
Further, the encryption/decryption circuit 6134 decrypts the function block, and then judges the validity of the parity data corresponding to the function block. At this time, if the parity data is judged to be legitimate, the decrypted data is output to the CPU 6137. On the other hand, if it is judged that the parity data is not legitimate, the operation of the CPU 6137 is stopped or predetermined error processing is performed.
Note that in this embodiment, the data length of the data block and the data length of the functional module may be the same or different.
The judgment circuit 6135 generates a judgment result signal S6135 indicating invalidation/disconnection, and outputs it to the selection circuit 6136 when the CPU 6137 is accessing (e.g., taking out) the confidential program module PM _ 1.
Further, the judgment circuit 6135 generates a judgment result signal S6135 indicating validity/connection, and outputs it to the selection circuit 6136 when the CPU 6137 does not access (e.g., fetch) the confidential program module PM _ 1.
The judgment circuit 6135 monitors an address and an instruction which are output from the CPU 6137 and flow through the address bus 6141 and the signal line 6142, and judges whether the CPU 6137 is accessing the program module PM _1 based on the address and the instruction.
When the determination result signal S6135 from the determination circuit 6135 indicates invalidation/disconnection, the selection circuit 6136 invalidates the HALT signal S6161a (operation stop request of the second aspect of the present invention) input from the debugger 6161 and does not output it to the CPU 6137. Here, the HALT signal S6161a is a signal instructing to temporarily stop the operation of the CPU 6137.
When the determination result signal S6135 from the determination circuit 6135 indicates invalidation/disconnection, the selection circuit 6136 invalidates the CPU internal state read request signal S6161b and the CPU internal state rewrite request signal S6161c input from the debugger 6161 and does not output them to the CPU 6137.
Here, the CPU internal state read request signal S6161b is a signal requesting information to display the internal state of the CPU 6137.
The CPU internal state rewriting request signal S6161c is a signal requesting to rewrite information showing the internal state of the CPU 6137.
On the other hand, when the determination result signal S6135 from the determination circuit 6135 indicates valid/connected, the selection circuit 6136 outputs a HALT signal S6161a input from the debugger 6161 to the CPU 6137.
When the determination result signal S6135 from the determination circuit 6135 indicates valid/connected, the selection circuit 6136 outputs the CPU internal state read request signal S6161b and the CPU internal state rewrite request signal S6161c input from the debugger 6161 to the CPU 6137. Further, the selection circuit 6136 outputs a CPU internal state signal S6137d input from the CPU6137 in accordance with the CPU internal state read request signal S6161b to the debugger 6161.
The CPU6137 outputs the address of the external memory 6160 to the address bus 6141, outputs an instruction type specification signal S6137a showing the type of instruction being executed to the signal line 6142, and performs processing using the instructions and data of the program modules PM _1, PM _2, and PM _3 read from the external memory 6160 through the external data bus 6144 and the encryption/decryption circuit 6134, in accordance with these signals.
When the CPU6137 receives the HALT signal S6161a input from the debugger 6161 through the selection circuit 6136, the operation of the CPU6137 is stopped.
Further, when the CPU6137 receives the CPU internal state read request signal S6161b input from the debugger 6161 through the selection circuit 6136, it outputs an internal state signal S6137d including information showing the internal state in the CPU6137 specified by the signal S6161b to the debugger 6161 through the selection circuit 6136.
Further, when the CPU6137 receives the CPU internal state rewriting request signal S6161c from the debugger 6161 through the selection circuit 6136, it rewrites the information showing the internal state of the CPU6137 with the content specified by the signal S6161 c. Thus, the operation of the CPU6137 is controlled by the debugger 6161.
The debugger 6161 controls the operation of the CPU6137 using the HLAT signal S6161a corresponding to the debug target, monitors the operation of the CPU6137 using the internal state read request signal S6161b and the internal state signal S6137d, and customizes the CPU6137 using the CPU internal state rewrite request signal S6161 c.
An example of the operation of the semiconductor chip shown in fig. 105 is explained below.
[ first operation example ]
In the present operation example, a case where the CPU6137 writes data of the program module PM _1 to the external memory 6160 will be described.
The CPU 6137 outputs the write data to the encryption/decryption circuit 6134 through the CPU data bus 6140.
Further, as described earlier, the encryption/decryption circuit 6134 encrypts write data by using key information corresponding to the function module in units of data blocks, and writes the encrypted write data in the external memory 6160 through the external data bus 6144.
Further, information related to key information used for encryption is added to the key information table 6190 shown in fig. 108.
At this time, the judgment circuit 6135 outputs a judgment result signal S6135 showing invalidation/disconnection to the selection circuit 6136, and the HALT signal S6161a, the CPU internal state read request signal S6161b and the CPU internal state rewrite request signal S6161c issued from the selection circuit 6136 are not output to the CPU 6137.
Further, since the write data is not encrypted on the external data bus 6144, the confidentiality of the program module PM _1 is not lost even if the external data bus 6144 is subjected to illegal probing.
[ second working example ]
In this operation example, a case where the CPU 6137 reads an instruction or data of the program module PM _1 from the external memory 6160 will be described.
Due to the read instruction issued by the CPU 6137, the instruction or data of the program module PM _1 is read from the specified address of the external memory 6160 and output to the encryption/decryption circuit 6134 through the external data bus 6144.
Further, the encryption/decryption circuit 6134 looks at the key information table 6190 shown in fig. 108 in accordance with the ID number shown by the ID number designation instruction provided at the head of each function module, and obtains key information corresponding to the ID number.
Further, the encryption/decryption circuit 6134 decrypts, in units of data blocks, the instruction or data read from the external memory 6160 with the key information, followed by the parity processing.
The data or instruction subjected to the parity processing is output to the CPU 6137 through the CPU data bus 6140.
At this time, the judgment circuit 6135 outputs a judgment result signal S6135 indicating invalidation/disconnection to the selection circuit 6136, and the HALT signal S6161a, the CPU internal state read request signal S6161b and the CPU internal state rewrite request signal S6161c issued from the selection circuit 6136 are not output to the CPU 6137.
Since the write data is not encrypted on the external data bus 6144, the confidentiality of the program module PM _1 is not lost even if the external data bus 6144 is subjected to illegal probing.
As described above, according to the semiconductor chip 6131, the confidentiality of the program module PM _1 can be maintained even when the confidential program module PM _1 is saved in the external memory 6160 located outside the semiconductor chip 6131.
That is, when the CPU 6137 accesses the confidential program module PM _1 saved in the external memory 6160, the selection circuit 6136 prohibits the debugger 6161 from communicating with the CPU 6137, so that it is possible to prevent the processing of the program module PM _1 being executed by the CPU 6137 from being illegally monitored by the debugger 6161.
Further, since the parity processing is performed after decrypting the data and instruction read from the external memory 6160, when inappropriate key information is used for decryption or when the data and instruction are destroyed or tampered, the destruction or tampering can be detected by the parity processing and appropriately coped with.
The present invention is not limited to the above-described embodiments.
For example, in the above-described embodiment, the key information table 6190 shown in fig. 108, that is, the case where the key information is stored in the judgment circuit 6135, is exemplified, but the key information table 6190 may be encrypted and stored in the external memory 6160.
Ninth embodiment
This embodiment is an embodiment corresponding to the 22 nd to 24 th aspects of the present invention.
This embodiment of the present invention will be described below with reference to the drawings.
Fig. 109 is a view of the overall structure of the communication system 701 of the present embodiment.
As shown in fig. 109, a communication system 701 communicates via the internet using a server 702, an IC card 703, a reader/writer 704, a personal computer 705, an ASP (application service provider) server 719, and a SAM (secure application module) apparatus 709, and performs settlement processing of a process using the IC card 703 (integrated circuit of the present invention) or other processing.
The SAM device 709 (data processing apparatus of the present invention) has an external memory 707 (storage circuit of the present invention) and a SAM chip 708 (semiconductor circuit of the present invention).
The SAM chip 708 and another SAM chip 708a (another semiconductor circuit of the present invention) transfer data, if necessary. The SAM chip 708a is connected to another ASP server 719a differently from the SAM chip 708 as shown in fig. 110, or is connected to the same SAP server 719 as the SAM chip 708 as shown in fig. 111.
The structure of the SAM chip 708a is substantially the same as the SAM chip 708.
The components shown in fig. 109 are explained below.
[ IC card 703]
Fig. 112 is a functional block diagram of the IC card 703.
As shown in fig. 112, the IC card 703 has an IC (integrated circuit) 703a provided with a memory 750 and a CPU 751.
As shown in fig. 113, the memory 750 has a memory area 755_1 used by the credit card company or other service enterprise 715_1, a memory area 755_2 used by the service enterprise 715_2, and a memory area 755_3 used by the service enterprise 715_ 3.
Further, the memory 750 holds key data for judging access authority to the storage area 755_1, key data for judging access authority to the storage area 755_2, and key data for judging access authority to the storage area 755_ 3. The key data is used for mutual authentication, data encryption and decryption, and the like.
Further, the memory 750 stores the IC card 703 or identification information of the user of the IC card 703.
The SAM device 709 is described in detail below.
As described above, the SAM device 709 includes the external memory 707 (a memory circuit of the present invention) and the SAM chip 708 (a semiconductor circuit of the present invention).
[ software configuration of SAM chip 708 ]
The SAM chip 708 has a software configuration as shown in fig. 114.
As shown in fig. 114, the SAM chip 708 has, from the bottom layer to the top layer, a HW (hardware layer), an OS layer, a low-level handler layer, a high-level handler layer, and an AP layer.
The low level handler layer includes a driver layer.
Here, in the AP layer, application programs AP _1, AP _2, and AP _3 (application programs of the present invention) defining a process of using the IC card 703 by a credit card company or other enterprises 715_1, 715_2, and 715_3 are read from the external memory 707 and run.
In the AP layer, a firewall FW is provided between the applications AP _1, AP _2, and AP _3 and the high-level handler layer.
[ external memory 707]
Fig. 115 illustrates a storage area of the external memory 707.
As shown in fig. 115, the storage areas of the external memory 707 include an AP storage area 7220_1 that holds an application program AP _1 of the service enterprise 715_1, an AP storage area 7220_2 that holds an application program AP _2 of the service enterprise 715_2, an AP storage area 7220_3 that holds an application program AP _3 of the service enterprise 715_3, and an AP management storage area 7221 used by a manager of the SAM chip 708.
The application program AP _1 stored in the AP memory area 7220_1 is composed of several application unit data APEs (data modules of the present invention) described later. Access to the AP storage area 7220_1 is limited by a firewall FW _ 1.
The application program AP _2 stored in the AP memory area 7220_2 is composed of several application unit data APEs described later. Access to the AP storage area 7220_2 is limited by a firewall FW _ 1.
The application program AP _3 stored in the AP memory area 7220_3 is composed of several application unit data APEs described later. Access to the AP storage area 7220_3 is limited by a firewall FW _ 1.
In the present embodiment, the application unit data APE is the minimum unit downloaded from outside the SAM device 709 to the external memory 707. The number of application unit data APEs constituting each application program can be freely determined by the corresponding service enterprise.
Further, the application programs AP _1, AP _2, and AP _3 stored in the external memory 707 are scrambled. When read into the SAM chip 708, they are descrambled.
Further, the application programs AP _1, AP _2, and AP _3 are generated by the service enterprises 715_1, 715_2, and 715_3 using the personal computers 716_1, 716_2, and 716_3 shown in fig. 109, and are downloaded to the external memory 707 through the SAM chip 708.
The application programs AP _1, AP _2, and AP _3 will be described in detail below.
One or more applications per service enterprise exist in the SAM.
As shown in fig. 116, each of the application programs AP _1, AP _2, and AP _3 (hereinafter referred to as AP) is identification data AP _ ID for identifying the application program AP, data APE _ NUM indicating the number of application unit data APEs included in the application program, and one or more application unit data APEs.
The identification data AP _ ID is set to be different for each service enterprise.
As shown in fig. 116, the application unit data APE is composed of data APE _ SIZE indicating the data SIZE of the application unit data APE, identification data APE _ ID identifying the application unit data APE, and a data characteristic (proper).
Here, the identification data APE _ ID is composed of data APE _ TYPE indicating the TYPE of the application unit data APE and data INS _ NUM indicating the identification number (instance identification number) of the application unit data APE within the TYPE. The data IND _ NUM is managed by the end user (service enterprise) side.
For example, when the application unit data APE is the file system configuration, the data APE _ TYP becomes "2" and the data INS _ NUM becomes "1". Thus, if the SAM is identical, the application unit data APE can be unambiguously determined by means of the identification data APE _ ID.
The external memory 707 shown in fig. 115 holds the above-described application programs AP (AP _1, AP _2, and AP _3) encrypted with the encryption key data K _ AP outside the SAM device 709 in the form of an application program package APP.
Encryption key data different with respect to each application is used as the encryption key data K _ AP.
The type of application unit data APE described using fig. 116 will be described below.
Fig. 117 shows an example of application unit data APE stored in one AP area.
As shown in fig. 117, the AP area stores card access key data, file system configuration data, SAM mutual authentication key data, inter-SAM key package key data, IC card operation macro script program (processing routine data of the present invention), memory partition key package, area recording (registration) key package, area deletion key package, service recording key package, service deletion key package, and AP resource key data K _ APE as application unit data APE.
The application unit data APE shown in fig. 117 will be explained below.
O card access key data
The card access key data is key data for a read or write operation with respect to the memory 750 of the IC card 703. Further, key data to be viewed by an IC card operation macro command script program described later is also contained in the same type of application unit data APE in the form of card access key data.
O File System configuration data
The file system configuration data includes operation log data. Negative (negative) data and category (genre) data.
The operation record data is data of the usage history of the application unit data APE, the negative data is the expiration information of the IC card, and the kind data is the execution record at the SAM.
For example, the file system configuration selects the type of file access (record key flag classification ring), and if it is a record key, sets a record size, the number of whole records, a record signature version, a record signature method type, a record data size, and a record signature key. Further, when data is written in the file system from the outside, it indicates whether or not signature verification or the like is performed. Here, "recording" is the minimum unit of writing/reading of file data.
SAM mutual authentication key data
This is also used for mutual authentication between APs in the same SAM.
The SAM mutual authentication key data is key data used when accessing the corresponding application unit data APE from another AP in the same SAM or another SAM.
O SAM inter-Keybag Key
The inter-SAM keybag key is encryption key data used when the switch card accesses key data or other data after mutual authentication between SAMs.
IC card operation macro command script program
The IC card operation macro command script program is generated by the service enterprise itself, and describes the processing relating to the IC card 703, or the sequence of transactions with the ASP server 719. The IC card operation macro command script program is set in the SAM device 709 and then analyzed by the SAM chip 708, thereby generating corresponding IC card entity data.
O memory partitioning keybag
The memory partitioning key package is data for partitioning the external memory 707 or the memory area of the memory of the IC card 703 before the service enterprise starts the service using the IC card 703.
O area recording key package
The area recording key package is data used when area recording is performed in a storage area of the memory of the IC card 703 before a service company starts performing a service using the IC card 703.
Zone delete Keybag (internal generation)
The area deletion key package is a key package that can be automatically generated in the SAM based on the card access key data.
O service record Key (generated internally)
The service recording key package is used to record the application unit data APE of the external memory 707 before the service enterprise starts a service using the IC card 703.
The service record key package is a key package that can be automatically generated in the SAM based on the card access key data.
O service delete Keybag (internal generation)
The service deletion key package is used to delete the application unit data APE recorded in the external memory 707.
The service deletion keybag is a keybag that can be automatically generated in the SAM based on the card access key data.
O Key data K _ APE
When the application unit data APE is set, the key data K _ APE is used as an encryption key. Different key data K _ APE for setting the application unit data APE are allocated for each AP area.
The above-described IC card operation macro command script program (hereinafter also referred to as script program) is described in detail below.
The script program is a program for determining the application programs AP _1, AP _2, and AP _3 of the service enterprises 715_1, 715_2, and 715_3 running on the SAM chip 708, and the processing procedures executed by the IC card 703 when executing the application programs.
In the present embodiment, as described later, as shown in fig. 118, the SAM chip 708 performs processing according to a script download task 769 and a script interpretation task 770, and generates IC card entity template data 730_1, an input data block 731_ x1, an output data block 732_ x2, a running record data block 733_ x3, and a calculation definition data block 734_ x4 for a process involving service enterprises 715_1, 715_2, and 715_3, according to AP management table data and a script program.
Fig. 119 illustrates commands for describing the IC card operation macro command script program.
As for the command, a command regarding the SAM chip 708 itself is given with the initial "S", and a command relating to the operation of the IC card 703 is given with the initial "C".
In addition, the second letter is selectively used according to the application. For example, the second letter is "I" for the issuer setting description of the IC card 703, the second letter is "S" for the description of the application unit APE (service type unit description), the second letter is "R" for the simple reading description with respect to the IC card 703, the second letter is "W" for the simple writing description with respect to the IC card 703, and the second letter is "F" for the calculation definition of the application unit data APE.
The commands for describing the script programs 721_1, 721_2, and 721_3 include an SC command, an SO command, an SI command, an SL command, an SF command, a CI command, a CS command, a CR command, and a CW command.
The SC command is a command that specifies the maximum number of IC card entity data that can be simultaneously processed by the SAM chip 708.
When the SAM chip 708 can process 1000 sets of IC card entity data at the same time, description "SC: 1000".
The SO command is a command explaining a data block constituting an output data block 732_ x2 that will hold data read from the IC card 703 among data blocks provided in the SAM chip 708 when processing is executed with the IC card 703 in accordance with IC card entity data described later.
For example, when the data blocks 1 to 10 are provided, when data read from the IC card 703 is saved in the data block 1, a description is made of "SO: 1".
The SI command is a command for explaining a data block constituting an input data block 731_ x1 for storing data to be written into the IC card 703 among data blocks provided in the SMA chip 708 when processing is performed by the IC card 703 in accordance with IC card entity data described later.
For example, when the data blocks 1 to 10 are provided, when data to be written to the IC card 703 is saved in the data blocks 2, 3, "SI: 2,3".
The SL command is a command explaining a data block constituting a run record data block 733_ x3 for saving run record data related to an operation among data blocks provided in the SAM chip 708 when processing is performed with the IC card 703 in accordance with IC card entity data described later.
For example, when the data blocks 1 to 10 are provided, when the run record data is saved in the data block 4, a description is made of "SL: 4".
The SF command is a command to provide a data block constituting the calculation definition data block 734_ x4, the education place definition data block 734_ x4 describing definition of the relationship between the application unit data APE with respect to the IC card 703.
The contents of the calculation definition data block 734_ x4 become preprocessing information of the IC card entity data
The CI command is a command that explains an issuer (service company) of the IC card 703.
It is determined that the data of the service company defined by the CI command becomes IC card type information of the IC card entity data.
The CS command is a command explaining simultaneous operation of several services to the IC card 703 by referring to the name APE _ N of the application unit data APE (service type unit). The CS command may also specify a function definition process within the application unit data APE specified by the name APE _ N.
For example, "CS: "Rc" + "Wc" + "Wd".
APE _ N specifying information and processing sequence information of the IC card entity data are determined according to the contents of the CS command.
The CR command explains that when the relationship between the application unit data APEs is uncertain (when the SF command is not described), the data read from the IC card 703 is saved in a specified data block.
For example, when data read from the IC card 703 is saved in the data block 1, "CR: SO: 1 ═ Rc "".
The CW command explains that the data stored in the specified data block is written to the IC card 703 when the relationship between the application unit data APEs is uncertain.
For example, when data stored in the data block 2 is written in the IC card 703, "CW: and (3) SI: 2 ═ Wc "".
The CF command specification describes a data block for describing the computation content generation service.
For example, when the computation content generation service is described in SF data block 1, "CF: CES _ FUNC ═ SF: 1".
Further, SF data block 1 has described therein, for example, "" Wc "(" Wc "> 10) then (" Wc "-10;" Wd "(" Wc "× 0.8 +" Wd ")" the formula expressing an operation of subtracting 10 from the value of Wc when the remaining number of services Wc is greater than 10, and adding a point number corresponding to 8% of Wc as an accumulated point number to Wd.
Data held in the AP management memory area 7221 of the external memory 707 shown in fig. 115 will be described below.
Access to the AP management save area 7221 is limited by a firewall FW _ 4.
Note that the firewall FW _4 corresponds to the firewall FW shown in fig. 114.
Fig. 120 illustrates details of data stored in the AP management save area 722.
As shown in fig. 120, the AP management storage area 7221 holds AP management table data 7300_1, 7300_2, and 7300_3 (management data of the present invention) and APP table data 7310_1, 7310_2, and 7310_3 (application permission data of the present invention)
Here, AP management table data 7300_1, 7300_2, and 7300_3 and APP table data 7310_1, 7310_2, and 7310_3 are recorded in advance at the time of configuring the SAM chip 708 and further, the AP management table data 7300_1, 7300_2, and 7300_1 and APP table data 7310_1, 7310_2, and 7310_3 can only be rewritten by a manager of the SAM chip 708.
AP management table data 7300_1, 7300_2, and 7300_3 are defined with respect to each application AP.
Further, APP table data 7310_1, 7310_2, and 7310_3 are defined with respect to each SAM mutual authentication key data.
Fig. 121 illustrates AP management table data 7300_ 1. The formats of the AP management table data 7300_2 and 7300_3 are the same as the AP management table data 7300_ 1.
As shown in fig. 121, it represents identification data APE _ ID, internal/external instruction data IEI, identification data SAM _ ID, identification data AP _ ID, key data K _ CARDA (second key data of the present invention), key data K _ SAM (first key data of the present invention), data SET _ APP, data FLAG _ IP, and data FLAG _ STR linked together with respect to respective names APE _ N of viewed application unit data APE used in the IC card operation macro command script program.
The name APE _ N of the application unit data APE is a name assigned to a service (application unit data APE) provided by the application programs of the service enterprises 7151, 715_2, and 715_ 3. The name APE _ N is the identifier being viewed, not the service name of the service that the application of the respective service enterprise can use.
Here, the identification data APE _ ID is identification data of the application unit data APE.
The external/internal indication data IEI is a flag for distinguishing whether the APE is present in the form of an entity (internal designation) or mentioned by another SAM (external designation).
The identification data SAM _ ID is identification data of the SAM located on the other side of the transfer data when the SAM chip 708 is performing processing relating to the application unit data APE.
Fig. 122 illustrates the SAMI _ ID.
SAM _ ID is 4 bytes of data and has a concept similar to the network mask of TCP/IP. The net mask may be set in units of bits.
For example, the net mask as shown in fig. 122 is divided into three classes, i.e., a class a, B, and C. Further, between SAMs assigned with the same network mask, one type of key data for mutual authentication is sufficient. For example, in this embodiment, the same service enterprise is assigned the same network mask.
In fig. 122, the class a network mask is indicated by "255. xx.xx.xx", the first byte is assigned a predetermined value specifying the class, and the last three bytes are assigned values specifying a single SAM belonging to the class. Here, "XX" may be set to any numerical value. That is, a class a network mask may be used to determine 16777215 SAM _ IDs belonging to class a.
Further, a class B network mask is indicated by "255.255. xx.xx", the first two bytes being assigned a predetermined value specifying the type, the last two bytes being assigned a value specifying a single SAM belonging to the class. That is, the class B network mask may be used to determine 65535 SAM _ IDs belonging to class B.
Further, a class C network mask is indicated by "255.255.255. XX", the first three bytes are assigned a predetermined value specifying the class, and the last byte is assigned a value specifying a single SAM belonging to the class. That is, the class B network mask may be used to determine 255 SAM _ IDs belonging to class C.
The identification data AP _ ID is identification data of an application program executed by the SAM of the other party that transmits data when the SAM chip 708 performs processing relating to the application unit data APE.
The key data K _ CARDA is key data for transferring data with the memory 750 of the IC card 703 when the SAM chip 708 performs processing relating to the application unit data APE.
The key data K _ SAM is key data for transferring data with another SAM when the SAM chip 708 performs processing relating to the application unit data APE.
The data SET _ APP is data for specifying APP table data 7310_1, 7310_2, and 7310_3 that are used (viewed) when the SAM chip 708 performs processing relating to the application unit data APE.
The data FLAG _ IP is FLAG data indicating whether or not to disclose data managed (held) by the SAM chip 708 to another SAM chip 708 or the like.
The data FLAG _ STR is FLAG data indicating whether or not data managed (held) by the SAM chip 708 is allowed to be held by another SAM chip 708 or the like.
In fig. 121, APE _ N "service a" is an access key of the IC card 703 determined by an application program in the SAM chip 708. The key data of "service a" is set to be not public, and thus an application program of another SAM or another application program of the same SAM cannot view the key data.
Further, "service C" is an access key of the IC card 703 determined by the application program. When the SAM is assigned a network mask of class C described later, the key data of "service C" is disclosed to the application on the SAM having SAM _ ID "43.17.19. XX". At this time, the SAM mutual authentication key is "TT 1 …, TTn". It is also determined whether another SAM can hold the key data for "service C" before the next use. When enabled, it is not necessary to obtain the card access key from the SAM again when another SAM subsequently uses "service C" on the card. The access key for service B is not obtained from this SAM, but from the SAM with SAM _ ID "43.17.19. XX". "SS 1 … SSn" is used as a mutual authentication key between SAMs.
Whether the access key of "service B" can be held before the next use is determined by the SAM-specified flag.
The "service B run record" indicates a file in which the run record data is saved, and the SAM _ ID of "43.13.137. XX" is assigned to the run record. The "service B running record" is the same SAM network mask as the "service B", and thus the mutual authentication key uses "SS 1 … SSn". Here, APP table data is provided for each mutual authentication key. In this example, permission to access the "service B run record" and the "service B" is determined in APP table data 7310 of the other SAM, and the AP management table data on the other SAM checks the access permission.
Fig. 123 illustrates APP table data 7310_ 1.
The format of the APP table data 7310_2, 7310_3, and 7310 is the same as the APP table data 7310_ 1.
As shown in fig. 123, APP table data 7310_1 indicates identification data APE _ ID of each application unit data APE and whether the application unit data APE can be read, written, or executed from another application program (another application unit data APE).
For example, APP table data 7310_1 shown in fig. 123 indicates that reading is possible and writing is possible for "service B run record". Execution (deletion) is not possible.
Further, when the AP management memory area 7221 of the external memory 7077 shown in fig. 115 holds AP selection data showing the IC card type data and the AP _ ID linked together.
The IC card type data represents the type of the IC card shown in fig. 109, and is identification data of a credit card company that performs settlement of a transaction using the IC card 703.
In the present embodiment, the IC card operation macro command script program defines (describes) therein service contents combining the names APE _ N of the several application unit data APEs. By describing the service contents in IC card entity data (job management data) described later, it is possible to provide a service combining services corresponding to several application unit data APEs.
For example, a service combining a reading service of reading data from the IC card 703 and a writing service of writing data to the server 702 may be defined in the IC card entity data.
Further, when executing the services provided by the service enterprises 715_1, 715_2, and 715_3, the APE _ N or its service number is an operation command sent to the IC card 703 and can be analyzed by the IC card 703.
The application program AP _1 is determined by the AP management table data 7300_1 stored in the external memory 707 and a predetermined IC card operation macro command script program.
The application program AP _2 is determined by the AP management table data 7300_2 stored in the external memory 707 and a predetermined IC card operation macro command script program.
The application program AP _3 is determined by the AP management table data 7300_3 stored in the external memory 707 and a predetermined IC card operation macro command script program.
[ SAM chip 708]
The SAM chip 708 is connected to the ASP server 719 through a SCSI port, ethernet, or the like. The ASP server 719 connects several terminal devices including the personal computer 705 of the end user and the personal computers 716_1, 716_2, and 716_3 of the service enterprises 715_1, 715_2, and 715_3 through the internet 710.
The personal computer 705 is connected to the Dumb-type reader/writer 704 through a serial port or a USB port. The reader/writer 704 realizes physical wireless communication with the IC card 703,
an operation command sent to the IC card 703 is generated on the SAM apparatus 709 side and a response packet from the IC card 703 is analyzed. Thus, the reader/writer 704, the personal computer 705, and the ASP server 719 interposed therebetween function only to save commands or response contents in the data payload section and relay the data payload section, and they do not participate in encryption or decryption of data, authentication, or other actual operations in the IC card 703.
The personal computers 716_1, 716_2, and 716_3 can download a script program, which will be described later, onto the SAM chip 708, thereby customizing the application programs AP _1, AP _2, and AP _ 3.
Fig. 124 is a functional block diagram of the SAM chip 708 shown in fig. 109.
As shown in fig. 124, the SAM chip 708 has an ASPS communication interface means 760, an external memory communication interface means 761, a bus scrambling means 762, a random number generator 763, an encryption/decryption means 764, a memory 765, and a CPU 766.
The SAM chip 708 is a tamper-resistant module.
The ASPS communication interface means 760 is an interface for inputting and outputting data with respect to the ASP server 719 shown in fig. 109.
The external memory communication interface device 761 is an interface for inputting and outputting data to and from the external memory 7.
The bus scrambling device 762 scrambles output data and descrambles input data when inputting and outputting data through the external memory communication interface device 761.
The random number generator 763 generates a random number used in the authentication process.
The encryption/decryption device 764 encrypts data and decrypts encrypted data.
Memory 765 holds tasks, programs, and data used by CPU 766, as described below.
The CPU 766 executes a script download task, a script interpretation task, an entity generation task (job management data generation task), and an IC card process management task (job management data management task), which will be described later, in accordance with a predetermined program (program of the present invention), as well as other tasks.
The following describes the tasks, programs, and data stored in the memory 765.
Fig. 125 illustrates tasks, programs, and data stored in memory 765.
As shown in fig. 125, memory 765 holds script download task 769, script interpretation task 770, entity generation task 771, IC card process management task 772, IC card operation macro script programs 721_1-721_3, AP management table data 7300_1-7300_3, APP table data 7310_1-7310_3, IC card entity template data 730_1-730_3, IC card entity data 773_ x, input data block 731_ x1, output data block 732_ x2, log data block 733_ x3, and calculation definition data block 734_ x 4.
As shown in fig. 118, the script download task 769 loads AP management table data 7300_1-7300_3 (APP table data 7310_1-7310_3, if needed) from the computers of the respective service enterprises and loads them into the SAM chip 708.
The script interpretation task 770 generates IC card entity template data, input data blocks, output data blocks, log data blocks, and calculation definition data blocks of each enterprise using the service definition table data (APP table data 7310_1-7310_3, if necessary) and the script program.
The number of data blocks generated for each enterprise is not particularly limited.
When the entity generation task 771 receives an entity generation request from the ASP server 719, it performs polling with respect to the IC card 703 and then generates IC card entity data for processing of a process between the IC card 703 and a service enterprise using IC card entity template data corresponding to the service enterprise. At this time, the IC card entity template data becomes a category, and the IC card entity data is generated in the form of an example of the category.
The process of the entity generating task 771 generating IC card entity data will be described later in detail.
The IC card process management task 772 performs the processing of the process between the IC card 703 and the service enterprises 715_1 to 715_3 using one or more IC card entity data 773_ x existing in the memory 765.
In the present embodiment, several processes of the process performed between several IC cards 703 and the service enterprises 715_1_715_3 are performed simultaneously.
The IC card process management task 772 executes these several processes of the plurality of processes in parallel.
When the series of processes is completed, the IC card process management task 772 deletes the IC card entity data 773_ x.
The processing of the IC card process management task 772 will be described in detail later.
Script program 721_1_721_3 is input from external memory 707 by script download task 769 and saved in memory 765.
AP management table data 7300_1-7300_3 is input from the external memory 707 by the script download task 769 and saved into the memory 765.
APP table data 7310_1-7310_3 is input from external memory 707 by script download task 769 and is saved into memory 765.
IC card entity template data 7301 and 7303 are generated by the script interpretation task 770 and used as templates (categories) when generating IC card entity data 773_ x of processes related to service enterprises.
The entity generating task 771 generates the IC card entity data 773_ x in the form of one example of a category by using the IC card entity template data 730_1-730_3 as the category.
The input data blocks 731_ x1, output data blocks 732_ x2, log data blocks 733_ x3, and compute definition data blocks 734_ x4 are generated by script interpretation tasks 770.
The IC card entity data 773_ x is explained below.
When the SAM chip 708 receives a processing request from the ASP server 719 to be processed using the IC card 3 and an application of a predetermined service enterprise, IC card entity data 773_ x is generated in the SAM chip 708 by the entity generating task 771 by using the corresponding IC card entity template data of the service enterprise that has been generated.
Fig. 126 illustrates the format of the IC card entity data 773_ x.
As shown in fig. 126, IC card entity data 773_ x has management pointer data 780, entity ID data 781, entity status data (status data) 782, IC card type information 783, APE _ N specifying data 784, processing order data, preprocessing data 786, and post-processing data 787.
The management pointer data 780 is a bidirectional pointer for managing the IC card entity data 773_ x in the memory 765.
The entity ID data 781 is used for generation of the IC card entity data 773_ x, confirmation of a progress state, deletion, or other series of requests for processing using the IC card entity data 773_ x. Entity ID data 781 is also a return value to be given to the end user. The entity ID information 781 corresponds to a descriptor when a file is opened in a general file system.
The entity status data 782 represents the status of the progress of the process related to the IC card 703.
As shown in fig. 127, the basic state of the IC card entity data 773_ x includes a state (RS) of a process of investigating a service that the IC card 703 can use, a state (a1) of a process by which the SAM chip 708 verifies the IC card 703, a state (a2) of a process by which the IC card 703 verifies the SAM chip 708, a state (R) of a process of reading data from the IC card 703, and a state (W) of a process of writing data to the IC card 703.
In the present embodiment, the process of investigating the service enterprise, the process of verifying the IC card 703 by the SAM chip 708, the process of verifying the SAM chip 708 by the IC card 703, the process of reading data from the IC card 703, and the process of writing data into the IC card 703 correspond to jobs.
As described later, a "job" is a processing unit for which the IC card process management task 772 determines the execution order.
Note that a1 and a2 constitute mutual authentication processing between the IC card 703 and the SAM chip 708.
Further, in the present embodiment, in consideration of the communication time on the internet 710, as shown in the state transition diagram of fig. 127, the above-mentioned basic state is divided into a post-startup (after issuing a command) state and a completion (after receiving a response) state.
Specifically, the state of processing using the IC card entity data 773_ x is managed by an instance generation (IC card entity data generation) state, an RS post-startup state, an RS completion state, an a1 post-startup state, an a1 completion state, an a2 post-startup state, an a2 completion state, an R post-startup state, an R completion state, a W post-startup state, a W completion state, and an instance (IC card entity data) deletion state.
The IC card type information 783 is information for determining a service company that issues the IC card 703.
In generating the IC card entity data 773_ x, the IC card type data 783 is set with data determined by the CI command in the script program mentioned above.
The service type unit specifying data 784 represents AP management table data 7300_1-7300_3 and application unit data APE defined in APP table data 7310_1-7310_3 used in the processing using the IC card entity data 773_ x.
In generating the IC card entity data 773_ x, the service type unit specifying data 784 is set with one or more application unit data APEs specified by the CS command in the script program mentioned above.
The processing order data 785 indicates the execution order of services (jobs) used in utilizing the IC card entity data 773_ x, i.e., the state transition shown in fig. 127.
That is, the processing order data 785 corresponds to the execution order of the jobs of the basic operation of the IC card 703 using the application unit data APE.
Here, as described later, the jobs correspond to RS, a1, a2, R, and W shown in fig. 127. The specific operation on the IC card 703 is realized by a processing sequence specified by a job. For example, for a process using the IC card 703 in a case where there is only reading without mutual authentication, the processing order information 785 is set to "RS → R". Further, in the case of reading and writing for mutual authentication, the processing order information 785 is set to "RS → a1 → a2 → R → W".
When the IC card entity data 773_ x is generated, the processing order information 785 is set with the job order shown in fig. 127 corresponding to the order of the service units specified in the CS command in the script program mentioned above.
The pre-processing information 786 is set from the ASP server 719 side with management data for performing use of the IC card entity data 773_ x.
For example, the preprocessing information 786 is set with the number of points of a calculation formula specifying a service in the SF data block (application unit data APE).
Further, when the inter-service processing function is not defined, the pre-processing information 786 is set with the requested processing charge (charge).
For example, in the case of settlement, a state relating to the amount of charge or points to be given is set.
The post-processing information 787 is set with data of the processing result of the IC card entity data 773_ x required on the ASP server 719 side. For example, in the case of settlement, post-processing information 787 is set using data indicating that settlement is normally ended.
The processing routine performed by the IC card process management task 772 shown in fig. 125 in association with the several IC cards 703 using the several IC card entity data 773_ x will be explained.
The IC card process management task 772 is continuously started on the CPU _766 of the SAM chip 708 shown in fig. 124.
Fig. 128 is a flowchart of processing performed by the IC card process management task 772.
Step ST 701:
the IC card process management task 772 selects one IC card entity data 773_ x from among several IC card entity data 773_ x existing in the memory 765 to perform the next process.
The method of selecting the IC card entity data 773_ x may be to sequentially select the IC card entity data 773_ x existing in the memory 765 or to assign a priority order and select according to the priority in the order of the highest priority.
Step ST 702:
the IC card process management task 772 determines whether the job of the IC card entity data 773_ x selected at step ST701 has been started. When it is judged that the job has been started, it proceeds to the process of step ST705, and when it is judged that the job has not been started, it proceeds to the process of step ST 703.
Step ST 703:
the IC card process management task 772 judges in which state in the state transition diagram shown in fig. 172 the process related to the entity data 773_ x is based on the entity state information 782 shown in fig. 126 of the IC card entity data 773_ x selected at step ST701, and determines the job to be executed next based on the process sequence information 785.
At this time, the processing order information 785 determines the execution order of the jobs using the service unit set in the service definition table data as described earlier.
Step ST 704:
the IC card process management task 772 starts the job selected at step ST 703.
The IC card process management task 772 executes the job using the input data block 731_ x1, the output data block 732_ x2, the log data block 733_ x3, and the data block related to the job in the calculation definition data block 734_ x4 explained above using fig. 125.
At this time, when a command is issued to the IC card 703 executing a job, the IC card process management task 772 uses a service unit corresponding to the job as the search AP management table data 7300_1-7300_3, thereby obtaining a key of the service number corresponding to the service unit (the operation command of the IC card 703 can be analyzed by the IC card 703). Further, the IC card process management task 772 issues a command to the IC card 703 using the obtained service number.
Further, as explained with fig. 113, when key information is required to access the storage area of the IC card 703a, the IC card process management task 772 searches the AP management table data 7300_1 to 7300_3 using the service unit corresponding to the job and obtains the key information corresponding to the service unit. Further, the IC card process management task 772 completes mutual authentication with the IC card 703 using the key information, encrypts and decrypts data, or performs other processing, and obtains the authority to access a predetermined storage area of the IC card 703.
Step ST 705:
when the IC card process management task 772 issues a command to the IC card 703 and waits for the processing result of the IC card 703, step ST705 is executed.
When the IC card process management task 772 receives the processing result from the IC card 703, it places the result in the IC card entity data 773_ x.
Step ST 706:
the IC card process management task 772 updates the entity status information 782 of the IC card entity data 773_ x shown in fig. 126.
In this way, in the present embodiment, the IC card process management task 772 performs the processing of the several IC cards 703 existing in the SAM chip 708 in parallel while selecting the IC card entity data 773_ x of the several IC cards 703 in order. Thus, even when a processing request of a process using several IC cards 703 is received, the SAM chip 708 can continue the processing at the same time.
Fig. 129 and 130 illustrate processing determined by another application unit data APE according to a routine determined by the application unit data APE or processing when accessing data executed by the SAM chip 708 when executing a job at step S704 in fig. 128 described above.
Step ST 741:
when processing is performed according to predetermined application unit data APE, an application program for use (access) and application unit data in the application program are specified.
Furthermore, the usage specifies one of reading, writing and execution of the application unit data APE.
Step S742:
the SAM chip 708 judges whether or not the application unit data APE specified in step ST741 exists in the SAM chip 708. If it is determined that it does not exist in the SAM chip 708, the process proceeds to step ST743, and if it is determined that it exists in the SAM chip 708, the process proceeds to step ST 745.
Step ST 743:
the SAM chip 708 checks the AP management table data 7300_1-7300_3 corresponding to the application program being executed, obtains key data K _ SAM corresponding to the corresponding service (application unit data APE), and performs mutual authentication using the key data K _ SAM and the SAM chip 708a having the application unit data APE to be used.
Step ST 744:
if the SAM chips 708 and 708a confirm the legitimacy of each other in the mutual authentication at step ST743, the SAM chip 708 proceeds to the processing at step ST 747. If the legitimacy of each other is not confirmed, it goes to step ST 751.
Step ST 745:
the SAM chip 708 checks the AP management table data 7300_1-7300_3 corresponding to the application being executed, and obtains key data K _ SAM corresponding to the service (application unit data APE).
Further, with respect to the application unit data APE to be used, which is also specified at step ST741, the SAM chip 708 similarly looks at the AP management table data 7300_1 to 7300_3 corresponding to the application unit data APE, and obtains the key data K _ SAM corresponding to the corresponding service (application unit data APE).
Further, the SAM chip 708 compares the obtained two key data K _ SAM.
The scrambler 746:
when the SAM chip 708 judges that the two pieces of key data K _ SAM compared by the processing at step ST745 match, the routine proceeds to the processing at step ST747, otherwise proceeds to step ST 751.
Step ST 747:
the SAM chip 708 or 708a checks the AP management table data 7300_1-7300_3 corresponding to the application program specified at step ST741, and determines APP table data 7310_1-7310_3 corresponding to the used application unit data APE.
Step ST 748:
the SAM chip 708 or 708a judges the access authority of the application unit data APE to be used (accessed) based on the APP table data 7310_1-731_03 specified at step ST 747.
Specifically, it judges the authority to read, write and execute the application unit data APE to be used.
Step ST 749:
when the SAM chip 708 or 708a judges that there is an access right at step ST748, it goes to step ST750, otherwise it goes to the process at step ST 751.
Step ST 750:
the SAM chip 708 or 708a uses the application unit data APE specified at step ST741 for the application specified at step ST 741.
Step ST 751:
the SAM chip 708 or 708a does not use the application unit data APE specified at step ST741 for the application specified at step ST 741.
Further, when the SAM chip 708 transfers data with respect to the IC CARD 703 in accordance with the routine determined by the application unit data APE while executing the job at step ST704 of fig. 128 described above, the SAM chip 708 checks the AP management table data 7300_1-7300_3 shown in fig. 125, obtains the key data K _ CADR corresponding to the application unit data APE, and accesses the memory 750 of the IC CARD 703 using the key data K _ CARD.
The overall operation of the communication system shown in fig. 109 will be described below.
Fig. 131 and 132 illustrate the overall operation of the communication system 701 shown in fig. 109.
Step ST 721:
the service enterprises 715_1 to 715_3 or a party requested by these enterprises generate script programs 721_1, 721_2, and 721_3 on the personal computers 716_1, 716_2, and 716_3 shown in fig. 109, the script programs 721_1, 721_2, and 721_3 describing the processing of transactions by the service enterprises using the IC card 703.
Further, the manager of the SAM chip 708 generates AP management table data 7300_1-7300_3 corresponding to the service enterprises 715_1-715_ 3.
Step ST 722:
the AP management table data 7300_1 to 7300_3 generated in step ST721 is stored in the external memory 707.
Further, the script programs 721_1, 721_2, and 721_3 generated in step ST721 are downloaded from the personal computers 716_1, 716_2, and 716_3 to the external memory 707 via the internet 710, the ASP server 719, and the SAM chip 708. As shown in fig. 118, processing regarding downloading is managed by a script download task 769 in the SAM chip 708.
Step ST 723:
the script interpretation task 770 in the SAM chip 708 shown in fig. 118 generates IC card entity template data, an input data block, an output data block, a log data block, and a calculation definition data block for each service enterprise using the AP management table data 7300_1-7300_3 and the script program.
The generated data is stored in the memory 765 of the SAM chip 708 shown in fig. 124.
Step ST 724:
the user is issued to the IC card 703.
As shown in fig. 113, a memory 750 of an IC 703a of the IC card 703 holds key information for transactions agreed by the user and the service enterprise.
Note that after the IC card 703 is issued, the contract between the user and the service company can also be concluded through the internet 710 or the like.
Step ST 725:
for example, when a user attempts to purchase a product by accessing the server 702 through the internet 710 using the personal computer 705, the server 702 issues a processing request to the ASP server 719 through the internet 710.
When the ASP server 719 receives a processing request from the server 702, it accesses the personal computer 705 through the internet 710. Further, a processing request relating to the IC card 703 issued from the reader/writer 704 is transmitted to the SAM chip 708 through the personal computer 705, the internet 710, and the ASP server 719.
Step ST 726:
the ASP server 719 outputs an entity generation request to the SAM chip 708. The entity generates a request to save information of the issuer of the display IC card 703.
Step S727:
when the SAM chip 708 receives the entity generation request, it performs polling for the IC card 703.
Step ST 728:
after the polling ends, the entity generation task 771 of the SAM chip 708 judges whether the number of IC card entity data 773_ x existing in the SAM chip 708 is within the maximum number determined by the SC command of the script program. If it is within the maximum number, the process proceeds to step ST729, and if it is not within the maximum number, the process is ended.
Step ST 729:
the entity generation task 771 specifies which service company's IC card entity template data is to be used, based on the information of the issuer of the display IC card 703 held in the entity generation request, and generates IC card entity data 773_ x using the specified IC card entity template data.
This corresponds to the example generation shown in fig. 127.
Step ST 730:
the SAM chip 708 outputs the entity ID of the IC card entity data 773_ x generated in step ST729 to the ASP server 719.
Step ST 731:
the IC card process management task 772 of the SAM chip 708 investigates services that the IC card 703 can use.
This is processing corresponding to the job RS shown in fig. 127.
Step ST 732:
the IC card process management task 772 of the SAM chip 708 verifies the validity of the IC card 703.
This is processing corresponding to job a1 shown in fig. 127.
Step ST 733:
the IC card 703 verifies the validity of the SAM chip 708.
This is processing corresponding to job a2 shown in fig. 127.
According to steps ST32 and ST33, the IC card 703 and the SAM chip 708 are mutually authenticated.
At this time, as described earlier, the key data K _ CARD is obtained by looking at the AP management table data 7300_1-7300_3 shown in fig. 211 based on the application unit data APE being executed by the SAM chip 708, and is used for mutual authentication between the SAM chip 708 and the CPU 751 of the IC CARD 703.
Step ST 734:
the IC card process management task 772 of the SAM chip 708 reads and writes data necessary for the process on the IC card 703.
This is processing corresponding to jobs R and W shown in fig. 127.
Further, the IC card process management task 772 uses a processing formula specified from the pre-processed data of the IC card entity data 773_ x and performs predetermined calculation processing using the data read from the IC card 703.
Step ST 735:
the IC card process management task 772 of the SAM chip 708 outputs the processing result of step ST734 to the ASP server 719.
Step ST 736:
for example, the IC card process management task 772 deletes the IC card entity data 773_ x.
As described above, according to the communication system 701 and the SAM apparatus 709, by configuring the application program AP using several application unit data APEs and defining the calculation contents of the application unit data APEs using the AP management table data and the APP table data, it is possible to provide different services using the IC card 703.
Further, according to the communication system 701, it is possible to flexibly realize the utilization of the application unit data APE in the same SAM and the utilization of the application unit data APE between different SAMs using the AP management table data and the APP table data while maintaining a high degree of confidentiality.
Further, according to the communication system 701, when the application unit data APE is used between different SAMs, since mutual authentication is performed between the SAMs, confidentiality of the application program can be improved.
Further, according to the communication system 701, by assigning SAM _ IDs of the same kind to applications of the same service enterprise, it is possible to prevent a complicated mutual authentication process from being performed between the application unit data APEs of the applications of the same enterprise, thereby reducing the burden of key information management and processing of the SAM chip.
Further, according to the communication system 701, it is possible to generate the IC card entity data 773_ x for each process of the process that occurs together with the IC card 703, and to cause the IC card process management task 772 to use the several IC card entity data 773_ x while continuing the process relating to the several IC cards 703.
Further, according to the authentication system 701, since it is sufficient to save the IC card entity data 773_3 actually used for the processing of the IC card 703 in the memory 765, the storage area of the memory 765 can be effectively used.
In addition, according to the verification system 701, as shown in fig. 127, since the execution state of a job processed by the IC card process management task 772 is divided into a post-start state and a complete state, after starting execution of one job, it is possible to start processing of another job in a state of waiting for data from the IC card 703. Thus, the waiting time caused by data transfer via the internet 10 and the IC card 703 can be eliminated.
Further, according to the authentication system 701, AP management table data 7300_1 to 7300_3 describe therein names indicating types of services provided by respective service enterprises, i.e., APE _ N, numbers of services used in the IC card 703, and key information used when providing these services. These are stored in the external memory 707. Thus, the service enterprises 715_1 to 715_3, which are not developers of the SAM chip 708, can customize their own applications running on the SAM chip 708 by generating the script programs 721_1, 721_2, and 721_3 and downloading them to the external memory 707 through the SAM chip 708. That is, the service enterprises 715_1 to 715_3 can customize their own applications without notifying the service enterprises of key information or operation commands for directly operating the IC card 703, or other highly confidential information. Further, when customizing an application, the service enterprise does not need to know key data or card operation commands, thereby relieving the service enterprise of burden.
Further, according to the authentication system 701, since calculation contents for generating several services can be defined, it is possible to provide different services on the IC card 3 side that combine several services in a large number of services approved to be executed simultaneously.
Further, according to the authentication system 701, by introducing the concept of a data block, it is possible to easily manage data input and output with respect to the IC card 703 and log data.
Claims (19)
1. A data processing method performed by a semiconductor circuit according to a plurality of processing requests,
the data processing method comprises the following steps:
receiving the plurality of processing requests from an integrated circuit having a memory holding data to be used for processing of a process performed by means of the semiconductor circuit or a communication device inputting and outputting data with respect to the integrated circuit,
the integrated circuit is polled to determine whether the integrated circuit is ready for use,
generating job management data including job execution order data indicating an execution order of a plurality of jobs forming a process according to the processing request and status data indicating a status of a progress of execution of the plurality of jobs for each of the plurality of processing requests,
selecting one job management data from the plurality of generated job management data,
selecting a job to be executed next in accordance with the status data and the processing order data of the selected job management data,
performing the selected job, an
Updating the status data of the selected job management data according to execution of the job, the status data distinguishing a state before an instruction relating to execution of the job is issued and a state after the instruction is issued to the integrated circuit.
2. The data processing method according to claim 1, further comprising the step of selecting one job management data from said plurality of job management data after updating said status data of said selected job management data.
3. The data processing method according to claim 1, further comprising a step of deleting said job management data when execution of all jobs forming a process according to said processing request is completed.
4. The data processing method according to claim 1, further comprising the step of issuing an instruction relating to execution of the job to the integrated circuit, and then selecting and executing the job for processing by a process of another integrated circuit.
5. The data processing method according to claim 1, further comprising a step of receiving a processing result corresponding to an instruction issued when the status data of the selected job management data indicates the status after the instruction issued, and writing it to the selected job management data.
6. The data processing method of claim 1, further comprising the steps of:
starting a job management data generation task and generating the job management data when a processing request is received; and
When the job management data is generated, a job management data management task is started, and the job is selected, executed, and the status data is updated.
7. The data processing method of claim 1, further comprising the steps of:
executing a plurality of applications corresponding to a plurality of process providers that provide processes to be performed using the integrated circuit,
specifying, based on the processing request, a process provider corresponding to the processing request, and
generating the job management data for executing an application corresponding to the specified process provider.
8. The data processing method according to claim 1, further comprising a step of giving an identifier to the job management data, and managing a plurality of job management data using the identifier.
9. The data processing method of claim 1, wherein the integrated circuit is mounted on a card.
10. A semiconductor circuit for processing data according to a plurality of processing requests,
the semiconductor circuit includes:
an interface for receiving the plurality of processing requests from an integrated circuit having a memory holding data to be used for processing of a process executed by the semiconductor circuit or a communication device which inputs and outputs data with respect to the integrated circuit
A storage circuit that holds job management data including job execution order data indicating an execution order of a plurality of jobs forming a process according to a processing request and state data indicating a state of execution progress of the plurality of jobs, and
a control circuit for polling said integrated circuit, generating said job management data for each of a plurality of processing requests inputted and storing it in said storage circuit, selecting one job management data from said plurality of job management data generated, selecting and executing a job to be executed next in accordance with said status data of said selected job management data and said processing order data, and updating said status data of said selected job management data in accordance with execution of the job, said status data being expressed to distinguish between a state before an instruction relating to execution of said job is issued and a state after an instruction is issued to said integrated circuit.
11. The semiconductor circuit according to claim 10, wherein the control circuit selects one job management data from the plurality of job management data after updating the status data of the selected job management data.
12. The semiconductor circuit according to claim 10, wherein said control circuit deletes said job management data when execution of all jobs forming a process according to said processing request is completed.
13. The semiconductor circuit according to claim 10, wherein the control circuit issues an instruction related to execution of the job to the integrated circuit, and then selects and executes the job of processing of a process using another integrated circuit.
14. The semiconductor circuit according to claim 10, wherein the control circuit receives a processing result corresponding to an instruction to issue when the status data of the selected job management data indicates the status after the instruction to issue, and writes it to the selected job management data.
15. The semiconductor circuit of claim 10, wherein the control circuit:
starting a job management data generation task and generating the job management data when a processing request is received; and
when the job management data is generated, a job management data management task is started, and the job is selected, executed, and the status data is updated.
16. The semiconductor circuit of claim 10, wherein the control circuit:
Executing a plurality of applications corresponding to a plurality of process providers that provide processes to be performed using the integrated circuit,
specifying, based on the processing request, a process provider corresponding to the processing request, and
generating the job management data for executing an application corresponding to the specified process provider.
17. The semiconductor circuit according to claim 10, wherein the control circuit gives an identifier to the job management data, and manages a plurality of job management data using the identifier.
18. The semiconductor circuit of claim 10, wherein said integrated circuit is mounted on a card.
19. A semiconductor circuit according to claim 10, which is a tamper-resistant semiconductor circuit.
Applications Claiming Priority (19)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2001040415A JP4765174B2 (en) | 2001-02-16 | 2001-02-16 | Application execution apparatus, communication system, and application execution method |
| JP40705/2001 | 2001-02-16 | ||
| JP40414/2001 | 2001-02-16 | ||
| JP2001040705A JP2002244868A (en) | 2001-02-16 | 2001-02-16 | Data processing method, semiconductor circuit and program |
| JP2001040414A JP4670158B2 (en) | 2001-02-16 | 2001-02-16 | Data processing method and semiconductor circuit |
| JP40415/2001 | 2001-02-16 | ||
| JP39969/2001 | 2001-02-16 | ||
| JP2001039969A JP2002244755A (en) | 2001-02-16 | 2001-02-16 | Data processing method, semiconductor circuit and program |
| JP42445/2001 | 2001-02-19 | ||
| JP42446/2001 | 2001-02-19 | ||
| JP2001042445A JP2002244757A (en) | 2001-02-19 | 2001-02-19 | Semiconductor circuit |
| JP2001042446A JP2002244925A (en) | 2001-02-19 | 2001-02-19 | Semiconductor circuit and data processing method |
| JP42396/2001 | 2001-02-19 | ||
| JP42397/2001 | 2001-02-19 | ||
| JP2001042396A JP2002244756A (en) | 2001-02-19 | 2001-02-19 | Data processing method, semiconductor circuit and authentication device |
| JP2001042397A JP4617581B2 (en) | 2001-02-19 | 2001-02-19 | Data processing device |
| JP2001262288A JP4207409B2 (en) | 2001-08-30 | 2001-08-30 | Data processing apparatus and method |
| JP262288/2001 | 2001-08-30 | ||
| PCT/JP2002/001324 WO2002065287A1 (en) | 2001-02-16 | 2002-02-15 | Data processing method and its apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1062722A1 HK1062722A1 (en) | 2004-11-19 |
| HK1062722B true HK1062722B (en) | 2007-01-12 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1261870C (en) | Data processing method and device thereof | |
| CN1668990A (en) | Open general anti-attack CPU and its application system | |
| CN1293482C (en) | Storage area dividing method for portable device | |
| CN1189819C (en) | Interference-free microprocessor | |
| CN1290009C (en) | Technique for permitting access across a context barrier in a small footprint device using global data structures | |
| HK1041332A1 (en) | Techniques for permitting access across a context barrier on a small footprint device using an entry point object | |
| CN1282071C (en) | Data processor, data processing method and program thereof | |
| CN1309487A (en) | Data processing device, system and method | |
| CN1474279A (en) | microprocessor | |
| CN1313917C (en) | Data processor, data processing method and program thereof | |
| CN1722046A (en) | Secure processor and program for secure processor | |
| CN1365474A (en) | authentication device | |
| CN1581118A (en) | Secure device, information processing terminal, integrated circuit, application apparatus and method | |
| CN1754173A (en) | Software management system, recording medium and information processing device | |
| CN1914603A (en) | Use authentication method, use authentication program, information processing device, and recording medium | |
| CN100351815C (en) | Data Storage and Data Retrieval Based on Public Key Encryption | |
| CN1241144C (en) | Autonomous integrated circuit card | |
| HK1041334A1 (en) | Techniques for implementing security on a small footprint device using a context barrier | |
| CN1902605A (en) | Data communicating apparatus and method for managing memory of data communicating apparatus | |
| HK1041335A1 (en) | Techniques for permitting access across a context barrier in a small footprint device using shared object interfaces | |
| CN1257635C (en) | Communication method, data processing device, and program | |
| CN1695340A (en) | Data processing method, its program, and its device | |
| CN1783100A (en) | Application authentication system | |
| CN1892665A (en) | Data for processing method and its apparatus | |
| CN1755712A (en) | Information processing apparatus and method, recording medium, and program |