HK1097612B - Data communicating apparatus and method for managing memory of data communicating apparatus - Google Patents

Description

Data communication apparatus and method for managing memory of data communication apparatus

Technical Field

The present invention relates to a data communication apparatus including a relatively large-capacity memory, and a method for managing the memory of the data communication apparatus, and particularly, to a data communication apparatus for storing electronic value information in a storage area and transmitting security information including electronic payment information, and a method for managing the memory of the data communication apparatus.

More particularly, the present invention relates to a data communication apparatus for allocating a file system for a service provider in a storage area and managing information on services provided by the service provider using the file system, and a method for managing the storage area of the data communication apparatus, and particularly, to a data communication apparatus for allocating a file system for each of a plurality of service providers in a single storage area and allowing the plurality of service providers to share the single data communication apparatus to provide a plurality of services, and a method for managing a memory of the data communication apparatus.

Background

Examples of the wireless communication device applicable only to the local area include a noncontact IC card.

This type of wireless communication is typically implemented based on the principle of electromagnetic induction. That is, wireless communication is performed by an IC card having a memory function and a card reader/writer for accessing a memory of the IC card to read information from the memory and write information to the memory. The loop coil of the IC card serves as a primary coil, and the antenna of the card reader/writer serves as a secondary coil to form a transformer as a system. The card reader/writer transmits power and information to the IC card using electromagnetic induction. The IC card can operate with the supplied power to respond to an inquiry signal from the card reader/writer.

When the card reader/writer modulates the current flowing through the antenna, the induced voltage of the loop coil of the IC card is modulated. With this effect, the card reader/writer can transmit data to the IC card. Further, with a change in load between terminals of the loop coil of the IC card, impedance between antenna terminals of the IC card reader/writer changes, and therefore, current or voltage flowing through the antenna also changes. With this effect, the IC card can transmit a response to the card reader/writer.

Due to the simplicity of operation, a non-contact short-range communication system including an IC card has been widely used. For example, a security code, other personal identification information, and electronic value information (e.g., an electronic ticket) are stored in the IC card. On the other hand, card readers/writers are placed in cash dispensers, entrances/exits of concert halls, and ticket gates of train stations. When the user places the IC card above the card reader/writer, the IC card can contactlessly access the card reader/writer. Thereby, the authentication process can be performed.

Recently, with the progress of fine processing technology, an IC card having a relatively large capacity of memory space has been realized. Since an IC card having a large-capacity memory can store a plurality of applications at the same time, the IC card can be used for various purposes. For example, one IC card storing a plurality of applications (e.g., electronic money and electronic tickets for a specific concert hall) can be used for a plurality of purposes. Here, the terms "electronic money" and "electronic ticket" refer to a payment (electronic payment) system using electronic data issued to a user in accordance with funds provided by the user or such electronic data itself.

Generally, a user using an IC card places the IC card above a card reader/writer. The card reader/writer always polls the IC card. When the card reader/writer finds an external IC card, communication is started between the IC card and the card reader/writer.

At this point, the user enters a security code into the card reader/writer. The card reader/writer compares the inputted security code with the security code stored in the IC card. Thereby, the individual identification verification or authentication is performed between the IC card and the card reader/writer. This security code used when accessing the IC card is referred to as a "Personal Identification Number (PIN)". If the personal identification check or authentication process is successful, the user can use an application stored in the IC card, for example. That is, the user can access a service storage area (hereinafter referred to as "service storage area") allocated to the application. When the service storage area is accessed, appropriate encrypted communications are performed according to the security level of the application.

Further, if an IC card and a card reader/writer (card reader/writer device) include a wired interface (not shown) for communicating with an external device in addition to a wireless non-contact interface, either or both of the IC card and the card reader/writer may be provided to devices such as a cellular phone, a Personal Digital Assistant (PDA), a Consumer Electronics (CE) device, and a personal computer. In this case, the IC card technology can be applied to a general bidirectional short-range communication interface.

For example, when short-range communication is performed between a computer and a home information device, one-to-one communication using an IC card is performed therebetween. Further, some devices may communicate with devices other than the contactless IC card. In this case, an application that performs one-to-many communication between one device and a plurality of cards may be provided.

Further, various applications using the IC card for external communication of electronic value information (such as electronic payment) can be run on the information processing apparatus. For example, a user can communicate with an IC card by using a keyboard and a display on an information processing apparatus. Since the IC card is connected to the cellular phone, the user can transmit information stored in the IC card through the phone line. Further, using the IC card, the user can send payment from the cellular phone through the internet.

If a file system for a service provider is allocated in the internal memory of an IC card and service information for the service provider (e.g., user identification/authentication information, information on remaining values, or usage history (log)) is managed in the file system, a useful service based on noncontact short-range communication can be realized, which replaces the well-known prepaid card and the service cards provided by various stores.

Generally, each service provider issues an IC card to a user to provide its service. Thus, a user has multiple cards (one for each service) and carries them with them. In contrast, according to an IC card having a relatively large capacity memory space, the IC card can provide a sufficient memory space to store information relating to a plurality of services in an internal memory.

For a prepaid card, such as a prepaid card, in order to secure proper commercial behavior for issuing the card, protect a purchaser of the card, and secure credit for the card, a "law on the stipulation and the like of the prepaid card" (referred to as "purika" law) has been made so that an issuer of the prepaid card must be registered through a management agency and regulated by the law. Furthermore, according to this law, in order to provide convenient services to users and maintain market order, predetermined items such as logos and contact addresses must be printed on a prepaid card (on the surface of the card) (see article 12 of the law).

When a prepaid card is provided, which has prepaid information stored in its memory, the number of services offered is limited to one due to the printing of the information on the medium prescribed by the law. In contrast, when the IC card function is used on a mobile device having a display function (for example, a cellular phone), the requirements specified by the law can be satisfied by displaying information on desired value information (for example, see patent document 1). Thereby, a plurality of service providers can share the IC card function. Therefore, for the service provider, the work load of issuing the card is reduced, and for the user, the number of IC cards that the user must carry with him is reduced.

Unfortunately, when a plurality of service providers share a single storage area and each service provider is allowed to freely access the storage area of a different service provider sharing the storage, value information set for each service provider may be used by other unauthorized service providers. As a result, the service provider cannot provide reliable services. Furthermore, the user risks leaking highly mobile value information, and thus suffers from economic loss.

Therefore, in the case where the IC card is shared by a plurality of service providers, it is required that the user can regard the IC card as a card originally issued by each service provider when the user uses the service. Further, the IC card is required to have a feature of securely managing information for each service provider in the storage area.

[ patent document 1]

Japanese unexamined patent application publication No. 2003-141434

Disclosure of Invention

Problems to be solved by the invention

The present invention provides an excellent data communication apparatus and a method for managing a memory of the data communication apparatus, which can store electronic value information in a memory area and securely exchange information for, for example, electronic payment.

The present invention also provides an excellent data communication apparatus and method for managing a memory of the data communication apparatus, which can provide a user with easy use as if an IC card is issued directly by a service provider of a service that the user is currently using, and which has a mechanism for securely managing information on a plurality of service providers in a storage area so that the plurality of service providers can share one IC card.

According to the present invention, there is provided a data communication device incorporating an IC chip including a card function simulation circuit and a data processing unit coupled to the card function simulation circuit, the data processing unit having a memory space, the data communication device managing the memory space by dividing the memory space into one or more file systems, wherein the data processing unit further includes: control means for maintaining a split-rights key and managing access to the file system in the memory space; and a first file system allocated to the first service provider in the memory space, the first file system maintaining an issuer key of the first service provider. When a division package generated by encrypting a data block including a division element package generated by encrypting an issuer key of a second service provider using the division authority key and information on a new file system is received by using an issuer key of a first service provider, the first file system decrypts the received division package and retrieves the division element package. The control device decrypts the divided element package, divides the free area of the memory space based on the information on the new file system, and allocates the divided storage area to a second file system holding an issuer key of a second service provider. As used herein, the term "data communication device" refers to: a non-contact IC card including a wireless communication unit and an IC chip having a data receiving/transmitting function and a data processing unit, a contact IC card having a terminal on a surface thereof, or an information communication apparatus (for example, a cellular phone, a Personal Handyphone System (PHS), or a Personal Digital Assistant (PDA)) including an IC chip having the same function as that of the contact/non-contact IC card. The data communication device has a storage area including a data accumulation memory (e.g., EEPROM) and a data processing unit. The data communication apparatus also has a data communication function. For example, in the case of a cellular phone, an external storage medium, such as an IC card incorporating an IC chip, may be removably mounted to the cellular phone. Further, the IC chip may include a Subscriber Identity Module (SIM) function for storing subscriber information provided by a cellular phone holder. The data communication device may perform data communication through an information communication network such as the internet, or may directly perform data communication with an external device by wire or wirelessly.

The present invention provides a service that ensures security such as exchange of value information using tamper-proof and authentication functions of an IC card. More specifically, the present invention reduces the card issuance workload of a service provider by allowing a plurality of services to share a single memory space inside an IC card. In addition, the present invention reduces the number of cards that a user carries and manages.

Wherein when a plurality of service providers share a single storage area and some service providers are allowed to access memory space for other providers, value information set by each service provider may be accessed by other unauthorized service providers.

According to the present invention, a plurality of file systems for a plurality of service providers are allocated in a single memory space, and the plurality of service providers can share one data communication device to provide a plurality of services. By partitioning the storage area into multiple file systems, the boundaries between the multiple file systems act as a firewall, thereby properly preventing one of the file systems (i.e., one of the multiple service providers) from being accessed (hacked) by the other file systems.

Initially, the entire memory area in the IC card is managed by the original card issuer of the IC card. When a service provider other than the original IC card issuer divides the storage area to create a new file system, the service provider is required to have the authority to divide the storage area and the authentication of the original IC card issuer.

For example, when a second service provider as a new service provider wishes to divide a file system in a storage area in an IC card, the second service provider requests permission to use the storage area from the original card issuer (which is the first service provider) in advance. Subsequently, in order to give this permission to divide the free storage area into file systems, the original card issuer obtains a "division factor package" necessary for dividing the file system from the division engineering manager.

Wherein the partition engineering manager assigns a region key K of the file system newly generated by the partition_IiAnd system code SC_i. The partition engineering manager then uses the partition authority key K_dThe data block including such data is encrypted to generate a split element package and the split element package is delivered to the card issuer. Since the card issuer does not have split authority key K_dTherefore, the card issuer can neither decrypt the transmitted partition element package nor tamper with the partition element package.

The card issuer further uses an issuer key K uniquely belonging to the card issuer_IA data block including the received split factor package and the size (number of blocks) of a split area permitted to be used by the new service provider is encrypted to generate a split package. Due to the use of the card issuer key K_IThe partition packets are encrypted so that the third party cannot decrypt the partition nor tamper with its size.

The card issuer uses the partition package to request a partition of the file system. When the operating system of the IC card receives the division request, the division request is based on the contentsThe region ID in the argument (argument) passes the segmentation envelope to the card issuer's file system. Then using the card issuer key K_IThe fragmented packet is decrypted. Subsequently, the size of the partition element package and the partition area are retrieved.

When the division factor package and the size of the division area are received from the file system of the card issuer, the operating system of the IC card uses the division authority key K_dDecrypting the split element package to retrieve the zone key K immediately following the split operation_Ii(default issuer key of second service provider) and system code SC_i. The operating system then splits the requested size of memory from the unused area. In addition, the operating system sets the issuer Key K for the region_IiAnd system code SC_iTo define the zone as a new file system.

After the memory space is divided, authentication of a service provider of the file system is required for access to the file system, not authentication of an original IC card issuer. Therefore, when each service is used, the user of the IC card can obtain easy use as if the IC card was issued directly by the service provider of the service currently used by the user.

By repeating such division operation, a plurality of file systems coexist in the storage area of the IC card. The partitioning of the file system is considered a virtual card issuance operation.

Each of the plurality of file systems in the memory space has region identification information, and the external access includes a package encrypted by using an issuer key of the file system. In this case, when receiving an external access having the area identification information and the package as arguments of the external access, the control apparatus transfers the package to a corresponding file system based on the area identification information, and the file system decrypts the package using the issuer key of the file system.

Therefore, the service provider having the file system can communicate with the file system while keeping the control system of the IC card and the original card issuer secret by using the issuer key of the service provider. That is, the service provider can analyze, manage, and handle security threats independently of the original card issuer.

Further, when a new file system is divided, the control means sets the system code of the file system together with the issuer code and the area identification information.

In this case, each service provider issues a request for obtaining the area identification information using the system code of the service provider as an argument of the request. Further, in response to the request, the control means performs polling on each of the plurality of file systems to request that the area identification information be obtained from the corresponding file system and return the obtained area identification information to the requester. The service provider can only manage its system code. When the service provider accesses the file system, the service provider may sequentially obtain the region identification information, and may issue an access request using the region identification information as an argument of the access request.

Further, the control means may overwrite a default issuer key and a system code if the default issuer key and system code are set at the time of division after the service provider has obtained its file system in the storage area. Thus, the service provider may analyze, manage, and handle threats to the security of the file system involving the service provider independently of a partition engineering manager that manages the partitioning of the file system.

Advantages of the invention

According to the present invention, it is possible to provide an excellent data communication apparatus and a method for managing a memory of the data communication apparatus, which can store electronic value information in a memory area and securely exchange information for, for example, electronic payment.

Further, according to the present invention, it is possible to provide an excellent data communication apparatus and a method for managing a memory of the data communication apparatus, which can provide a user with easy use as if an IC card is issued directly by a service provider of a service that the user is currently using, and which has a mechanism of securely managing information on a plurality of service providers in a storage area so that the plurality of service providers can share one IC card.

Further, according to the present invention, a plurality of file systems of a plurality of service providers are allocated in a single memory space, and the plurality of service providers share one data communication device. Thus, the present invention can provide an excellent data communication apparatus and a method for managing a memory of the data communication apparatus, which can provide a plurality of services using the single data communication apparatus.

Other features and advantages of the present invention will become apparent from the following detailed description of exemplary embodiments, which is to be read in connection with the accompanying drawings.

Drawings

Fig. 1 schematically illustrates a basic concept of wireless data communication between a card reader/writer and an IC card based on electromagnetic induction;

fig. 2 is a diagram modeling a system including a card reader/writer and an IC card as a transformer;

fig. 3 illustrates a hardware structure of a data communication apparatus according to an embodiment of the present invention;

fig. 4 schematically illustrates the structure of a control system of a storage area in an IC card according to an embodiment of the present invention;

fig. 5 schematically illustrates the structure of a service providing system using an IC card;

FIG. 6 illustrates a storage area in which an original card issuer manages only the file system of the original card issuer;

FIG. 7 is a diagram illustrating an amount of free space that a card issuer may permit a district manager to lease or purchase the card issuer's file system;

FIG. 8 is a diagram in which another service provider splits the memory area licensed by the card issuer to create a new file system;

fig. 9 is a diagram in which a public area manager divides a storage area permitted by a card issuer using the system code SC0 of a public area;

FIG. 10 illustrates a pre-process of partitioning a file system;

fig. 11 is a sequence diagram illustrating a procedure performed by the card issuer for polling the IC card;

fig. 12 is a sequence diagram illustrating a process of sending a division request from a card issuer to an IC card;

fig. 13 illustrates a case in which the memory area of the IC card is divided and a new file system is generated;

fig. 14 is a diagram illustrating resetting of the issuer key K performed after a new service provider obtains the file system of the new service provider in the storage area of the IC card_IiAnd system code SC_iA sequence diagram of the process of (a);

fig. 15 schematically illustrates the structure of a storage area of an IC card in which a plurality of file systems coexist by repeating a division operation;

FIG. 16 schematically illustrates the structure of a request command packaged using an issuer key;

FIG. 17 schematically illustrates a directory structure of a file system;

FIG. 18 illustrates a basic structure of a file system;

fig. 19 illustrates a plurality of areas layered in the memory space of the IC card 50;

FIG. 20 is a flowchart illustrating a process for registering regions and services in a file system;

FIG. 21 illustrates a process performed by a service provider (including an original card issuer) for registering a region in the service provider's file system;

FIG. 22 illustrates a process performed by a service provider (including an original card issuer) for registering services in the service provider's file system;

fig. 23 schematically illustrates a data structure of a security code service data block;

fig. 24 is a flowchart illustrating a process for controlling activation of a service or access right to a region according to a security code input from a user; and

fig. 25 is a flowchart illustrating a process for controlling access rights to services and zones based on the number of PIN entry attempt failures.

Detailed Description

Various embodiments of the present invention are described in detail below with reference to the accompanying drawings.

The present invention provides a service that ensures security such as exchange of value information using tamper-proof and authentication functions of an IC card. More specifically, the present invention reduces the card issuance workload of a service provider by allowing a plurality of services to share a single memory space inside an IC card. In addition, the present invention reduces the number of cards that a user carries and manages.

Wherein, when a plurality of service providers share a single storage area and some service providers are allowed to access memory spaces of other providers, value information set by each service provider may be accessed by other unauthorized service providers.

According to the present invention, file systems for a plurality of service providers are allocated in a single memory space, and one data communication device can be shared by the service providers to provide a plurality of services. By dividing the storage area into multiple file systems, the boundaries between these file systems act as a firewall, thereby properly preventing one of these file systems (i.e., one of the multiple service providers) from being accessed (hacked) by the other file system.

Initially, the entire memory area in the IC card is managed by the original card issuer of the IC card. When a service provider other than the original IC card issuer divides the storage area to create a new file system, the service provider is required to have the authority to divide the storage area and the authentication of the original IC card issuer.

After the memory space is divided, authentication of a service provider of the file system is required for access to the file system, not authentication of an original IC card issuer. Therefore, when each service is used, the user of the IC card can obtain easy use as if the IC card was issued directly by the service provider of the service currently used by the user.

Next, a basic concept of non-contact data communication between an IC card and a card reader/writer is described with reference to fig. 1 and 2.

Wireless data communication between the card reader/writer and the IC card is realized based on the principle of electromagnetic induction. Fig. 1 schematically illustrates a basic concept of wireless data communication between a card reader/writer and an IC card. The card reader comprises an antenna L consisting of a loop coil_RW. Through an antenna L_RWApplying a current I_RWAt the antenna L_RWA magnetic field is generated around. On the other hand, a loop coil L is electrically formed around the IC card_C. In the loop coil L of the IC card_CThrough a loop antenna L by a card reader/writer_CThe generated magnetic field produces an induced voltage. The induced voltage is input to the loop coil L_CThe terminals of the IC card are connected.

Antenna L at card reader/writer_RWWith the loop coil L of the IC card_CThe coupling ratio therebetween varies with the positional relationship therebetween. However, from a system point of view, the antenna L of the card reader/writer_RWAnd a loop coil L of an IC card_CA transformer is formed. Therefore, the read/write operation of the IC card can be modeled as shown in fig. 2.

Card reader/writer pair applied to antenna L_RWCurrent of (I)_RWModulating to the annular coil L on the IC chip_CVoltage V induced in medium₀Modulation is performed. With this phenomenon, the card reader/writer can transmit data to the IC card.

Further, the IC card changes the loop coil L according to the data to be returned to the card reader/writer_CThe load between the terminals (load switching). When in the loop coil L_CWhen the load between the terminals of the card reader/writer is changed, the impedance between the terminals of the antenna of the card reader/writer is changed. Thereby passing through the antenna L_RWCurrent of (I)_RWOr an antenna L_RWVoltage V of_RWA change will occur. By demodulating the change, the card reader/writer can receive data returned from the IC card.

That is, by changing the load of the antenna in accordance with the response signal to the inquiry signal from the card reader/writer, the IC card can modulate the amplitude of the signal appearing in the receiving circuit of the card reader/writer. Thereby, the IC card can communicate with the card reader/writer.

The IC card may be a card data communication device or may be an information communication device (e.g., a cellular phone) incorporating an integrated circuit chip having an IC card function. For the sake of simplicity, as used herein, any of a device incorporating an IC card and a device in which the IC card is removably mounted is referred to as an "IC card". Further, an integrated circuit chip having an IC card function is mounted in a mobile device (e.g., a cellular phone or a PDA) and an information processing device (e.g., a Personal Computer (PC)) to perform data communication with an external device. In this case, the IC card includes a peripheral interface in addition to an interface for wired or wireless communication with the card reader/writer.

Fig. 3 illustrates a hardware structure of a data communication apparatus according to the present invention. The data communication apparatus has the following functions: an IC card function that, when a communication antenna is engaged, allows access to its internal nonvolatile memory; and a reader/writer function that supplies power to an external device having an IC card function to realize data exchange. The data communication apparatus incorporates an IC chip including a card function simulation circuit 30, a data processing unit 40, and a card reader/writer function simulation circuit 50. In the example shown in the figure, the IC card has a card read/write function. However, this card read/write function is not an essential feature of the present invention.

In the card function simulation circuit 30, the carrier wave received by the antenna 32 is rectified by the rectifier 31 and is transmitted to the signal processing unit 44 of the data processing unit 40 and to the logic circuit 38 through the series regulator 33.

The logic circuit 38 inputs the terminal P in response to the slave enable signal_onThe input starting signal is input to start. The logic circuit 38 couples the voltage from the series regulator 33 and the slave power supply terminal V_DDThe input voltage is controlled to supply a power supply voltage suitable for the IC card.

The series regulator 33 keeps the output voltage constant regardless of the level of the input voltage. That is, if the input voltage is high, the series regulator 33 increases the internal impedance to keep the voltage constant. In contrast, if the input voltage is low, the series regulator 33 reduces the internal impedance to keep the voltage constant.

The voltage detector 39 monitors the connection terminal V from the power supply connected to the logic circuit 38_BTThe input terminal voltage of (a) is monitored. If the voltage of the external power supply drops below a predetermined levelVoltage, the voltage detector 39 outputs a signal for disabling the external power supply to the logic circuit 38.

Further, in the card function simulation circuit 30, the carrier detector 34 determines whether or not the radio wave input from the antenna 32 includes a carrier. If the radio wave input from the antenna 32 includes a carrier wave, a carrier detection signal VR is output to the logic circuit 38. The logic circuit 38 may also output a signal indicative of the detection of the carrier to the data processing unit 40.

The clock extractor 35 extracts a clock from the radio wave (input from the antenna 32) and transfers the clock to the clock selector 36. The clock oscillator 37 is composed of, for example, a quartz resonator disposed outside the IC card. The clock oscillator 37 generates a clock for the driving frequency of the IC card and transfers the clock to the clock selector 36. The clock selector 36 selects one of the clock transferred from the clock extractor 35 and the clock transferred from the clock oscillator 37, and transfers the selected clock to the respective constituent parts of the IC card.

The card reader/writer function analog circuit 50 includes a transmission amplifier 51, a reception signal detector 53, a reception amplifier filter, and a transmission antenna 52 and a reception antenna 55.

When transmitting data, the signal processing unit 44 of the data processing unit 40 modulates and digital/analog-converts the data to generate a transmission signal up-converted to an analog baseband. The transmission signal is output from the antenna 52 through a transmission amplifier. The signal received by the antenna 55 is detected by the received signal detector 53 and amplified by a reception amplifier filter. The signal is then transmitted to the signal processing unit 44. The signal processing unit 44 down-converts the signal into an analog baseband signal. The signal processing unit 44 then performs digital/analog conversion and modulation on the signal to reproduce digital data.

The card read/write operation between the IC card and the card reader/writer is the same as the card read/write operation described with reference to fig. 1 and 2.

Data processing unit 40Including the above-described signal processing unit 44, a Central Processing Unit (CPU)45, a data encryption engine 46 using, for example, the Data Encryption Standard (DES), an error correction unit 47 using, for example, Cyclic Redundancy Check (CRC), a Random Access Memory (RAM)41, a Read Only Memory (ROM)42, an electrically erasable programmable ROM (eeprom)43, a UART interface 48, and an I²C-interface 49. All the above components are interconnected by an internal bus.

The CPU 45 functions as a main controller that performs overall control of the operation of the IC card. The CPU 45 executes program codes stored in, for example, the ROM 42 (or the EEPROM 43) under an execution environment (to be described later) provided by an Operating System (OS) of the IC card. For example, the CPU 45 executes an application related to data to be transmitted and received data through the card function simulation circuit 30 and the card reader/writer function simulation circuit 50.

The signal processing unit 44 performs modulation, digital/analog conversion, and up-conversion on data to be transmitted through the card function simulation circuit 30 and the card reader/writer function simulation circuit 50. The signal processing unit 44 also down-converts, analog-to-digital converts, and demodulates the received data.

The DES engine 46 encrypts and decrypts data to be transmitted and received through the card function simulation circuit 30 and the card reader/writer function simulation circuit 50 using a key encryption scheme based on a commonly recognized algorithm.

The CRC 47 performs a cyclic redundancy check on the data received through the card function simulation circuit 30 and the card reader/writer function simulation circuit 50.

UART 48 and I²The C interface serves as an external wired interface for connecting the IC card to an external device such as a cellular phone, a PDA, or a personal computer (not shown in fig. 3). A UART (universal asynchronous receiver transmitter) 48 converts a parallel signal into a serial signal or converts a serial signal into a parallel signal in a computer.

The RAM 41 is a writable storage unit. The CPU 41 executes programs using the RAM 41 as a work area. The memory space provided by the RAM 41 is addressable. The CPU 45 and various components on the internal bus may access this memory space.

The EEPROM 43 is a nonvolatile memory cell to which an erase operation can be performed and new data can be written. As used herein, the storage area in the IC card is basically referred to as a writable area in the EEPROM 43.

The storage area includes at least one file system. In an initial state, a storage area is managed by a single file system managed by an original IC card issuer. Subsequently, a service provider other than the IC card issuer divides the storage area to generate a new file system. The division of the file from the memory space of the EEPROM 43 and the access operation performed after the division of the file are described in detail below.

Fig. 4 schematically illustrates the structure of a control system of a storage area in an IC card according to the present invention. As shown in fig. 4, the control system is basically implemented in the form of a subsystem of an operating system. The control system includes a protocol interface module, an OS kernel module, and a file system.

The protocol interface module processes an access request for a file system from an external device through a peripheral interface such as the UART interface 48 and an access request for a file system from a card reader/writer through a contactless IC card interface.

The OS kernel module encodes and decodes data exchanged with the file system, corrects errors of the data using CRC, manages the number of data updates for each block of the EEPROM 43, checks PIN, and performs mutual authentication.

In addition, the OS kernel module provides several Application Programming Interfaces (APIs) for accessing the file system (e.g., an API for PIN checking and mutual authentication during file access and an API for file reading/writing).

Physical access is performed to the EEPROM 43 serving as a file system entity. Physical memory access operations to memory devices, including EEPROMs, are well known to those skilled in the art. Therefore, a description thereof will not be given here.

The storage area developed on the EEPROM 43 includes at least one file system. In an initial state, a storage area is managed by a single file system managed by an original IC card issuer. When a service provider other than the original IC card issuer divides the storage area to create a new file system, the service provider is required to have the authority to divide the storage area and the authentication of the original IC card issuer. After the memory space is divided, in order to access the file system, a service provider is required to authenticate the file system, not by the original IC card issuer. The partitioning of the file system is considered a virtual card issuance operation.

OS to split permission key K for permission of split operation_dAnd (6) managing. Further, the OS assigns a distributor key K to an issuer (original IC card issuer or service provider divided into files)_IThe system code, and the area ID for identifying the file area of each file system are managed.

In order to access the file system, a process including requesting a zone ID by performing polling and mutual authentication is required. The file system issuer (card issuer of the original file or service provider who uses the file system after segmenting the file system) polls the file system for a region ID of the storage region corresponding to the file system using the system code that the file system issuer has in the form of an argument. Subsequently, the area ID and the issuer Key K are used_ITo perform mutual authentication. If the mutual authentication is successfully performed, access to the file system is granted. Using an issuer Key K unique to the issuer's file System_IAccess to the file system is performed through encrypted communication. Thus, other file systems cannot read data from the file system without permission. Furthermore, publishers other than the publisher of the file system cannot read and write data to and from the file system without permission.

Fig. 5 schematically illustrates the structure of a service providing system for managing electronic money, electronic tickets, and other value information using a relatively large-capacity IC card.

As shown in fig. 5, for example, the system 1 includes an issuer communication device 11 used by an IC card issuer 21, a manager communication device 12 used by a card storage area manager 22, a manufacturer communication device 13 used by a manufacturer 23 of the device, and a storage area dividing device 14 and a management file registration device 15 used by a card storage area user 24.

In the system 1, when the IC card issuer 21 issues the IC card 16 to the cardholder 26, file data relating to services provided by the card storage area user 24 is stored in the IC card 16 based on predetermined conditions. Thus, the card holder 26 can receive services from the IC card issuer 21 and the card storage area user 24 using the one IC card 16.

As shown in fig. 5, in the system 1, the issuer communication apparatus 11, the manager communication apparatus 12, the manufacturer communication apparatus 13, the storage area dividing apparatus 14, and the management file registration apparatus 15 are connected to each other via a network 17.

The IC card issuer 21 issues the IC card 16 to provide its own service using the IC card 16.

When receiving a request from the IC card issuer 21, the card storage area manager 22 performs a service to lease a storage area, which is not used by the IC card issuer 21, in the storage unit (semiconductor memory) of the IC card 16 issued by the IC card issuer 21 to the card storage area user 24.

The manufacturer 23 manufactures the memory area dividing device 14 in response to a request from the card memory area manager 22 and delivers the memory area dividing device 14 to the card memory area user 24.

The card storage area user 24 requests the card storage area manager 22 to allow the card storage area user 24 to use the storage area of the IC card 16 and provide the service of the card storage area user 24. The card storage area user 24 corresponds to the service provider that divides the storage area and creates a new file system as described above. The card storage area user 24 provides its own service by using its own file system.

The cardholder 26 receives the IC card 16 from the IC card issuer 21 to use the service provided by the IC card issuer 21. When the cardholder 26 wishes to receive the service provided by the card storage area user 24 after issuing the IC card 16, the cardholder 26 stores file data relating to the service provided by the card storage area user 24 in the IC card 16 using the storage area dividing device 14 and the management file registering device 15. The cardholder 26 may then begin using the services provided by the card storage area user 24.

In order to provide services from the IC card issuer 21 and services from the card storage area user 24 with one IC card 16, the system 1 has a structure such that unauthorized persons cannot read data from and write data to a storage area in which file data relating to the services provided by the IC card issuer 21 and the card storage area user 24 are stored.

As its name implies, the IC card 16 may be a card-type data communication device. Alternatively, the IC card 16 may be implemented as a cellular phone (or a different mobile device or CE device) incorporating a semiconductor chip having an IC card function.

Although the above description has been made with respect to one IC card issuer 21, one card storage area user 24, and one cardholder 26 in fig. 5, each of them may be plural.

In the present embodiment, file systems for a plurality of service providers are distributed in a single storage area of the IC card. Further, a single data communication device is shared by a plurality of service providers to provide a plurality of services. The split file system structure may provide management of the following storage areas: storage areas available to a particular service provider with the original card issuer's permissions, storage areas available to multiple service providers with the original card issuer's permissions, and storage areas available to the original card issuer.

Specifically, when a plurality of file systems each available to one service provider are managed in addition to the file system available to the original card issuer, the boundary between these file systems functions as a firewall, thereby appropriately preventing one of these file systems (i.e., one of the plurality of service providers) from being accessed (hacked) by the other file systems.

A method of managing the memory area of the IC card is described below with reference to fig. 6 to 9.

Fig. 6 illustrates a storage area in which the original card issuer manages only the file system of the original card issuer. The system code SC1 is assigned to the original card issuer by the system code authority. When the external device or program accesses the card issuer's file system, the external device or program uses "SC 1" as the identification code (i.e., the argument of the request command).

FIG. 7 is a diagram illustrating an amount of free space in a file system that a card issuer may permit another storage area manager to lease or purchase the card issuer. In this stage, the file system in the memory space has not yet been partitioned. As long as the card issuer has free space in the card issuer's file system, the card issuer may permit multiple zone managers to lease or purchase a certain amount of free space. For example, in an implementation in which the file system is identified by a 4-bit system code, the file system may be partitioned into up to 16 partitions (which may be partitioned up to 15 times for the file system).

Fig. 8 is a diagram in which another service provider splits a storage area licensed by a card issuer to generate a new file system. The new file system is assigned the system code SC2 by the administrator of the system code. When an external device or program accesses a file system managed by a storage area manager (service provider), the external device or program uses "SC 2" as an identification code (i.e., argument of the request command).

Fig. 9 is a diagram in which a public area manager divides a storage area permitted by a card issuer using the system code SC0 of a public area. When the external device or program accesses the file system, which is a storage area managed by the common area manager, the external device or program uses the system code SC0 as an identification code (i.e., an argument of the request command).

Next, a process of generating a new file system by dividing a storage area will be described.

FIG. 10 illustrates the pre-processing of the partitioned file system. When a new service provider wishes to divide a file system in a memory area of an IC card, the service provider requests permission to use the memory area from a card issuer. Subsequently, in order to give permission to use the storage area (i.e., permission to split out the file system), the card issuer obtains from the splitting engineering manager the "split element package" required to split out the file system.

The division engineering manager corresponds to a card memory area manager 22 that manages the memory area in the IC card after the IC card is manufactured or delivered, and the new service provider corresponds to a card memory area user 24 (see fig. 5).

The partition engineering manager has the authority to assign system code to each file system in the storage area of the IC card, and assigns a partition authority key K stored in the operating system (which provides the execution environment of the IC card)_dAnd (6) managing. The partition engineering manager assigns the region key K of the file system newly generated by the partition_Ii(issuer key of new service provider (i.e., virtual card issuer) using the area) and system code SC_i(where "i" denotes a subscript representing the ith split file system). The partition engineering manager then uses the partition authority key K_dThe data block including such data is encrypted to generate a split element package and the split element package is delivered to the card issuer.

Since the card issuer does not have split authority key K_dThe card issuer can therefore neither decrypt nor tamper with the delivered split feature pack.

The card issuer also uses a unique identifier to the card issuerIssuer key K for card issuer_IA data block including the received split factor package and the size of a split area (number of blocks) permitted to be used by the new service provider is encrypted to generate a split package.

Due to the use of a card issuer key K managed by the card issuer's and card issuer's file systems_IThe split packets are encrypted so that the third party cannot decrypt the split packets nor tamper with the size of the split zone.

After performing such preprocessing, the card issuer obtains a division package, and requests to divide the file system in the storage area of the IC card using the division package. Wherein the access to the file system is performed using the zone ID of the file system as an argument. Since the card issuer knows only the system code, the card issuer performs polling on the IC card. Thus, the card issuer can obtain the area ID of the card issuer's file system.

Fig. 11 illustrates a process performed by the card issuer in order to poll the IC card. However, a non-contact short-range communication interface based on electromagnetic induction as described with reference to fig. 1 and 2 or a communication interface such as UART 48 or I may be used²C49 to perform communication between the card issuer (or another external device) and the IC card (the same applies hereinafter).

The card issuer performs polling of the operating system, which is an execution environment of the IC card, to request the area ID of the file system using the system code SC of the card issuer as an argument.

When triggered by the request message, a mutual authentication process including a plurality of bidirectional communication operations is performed between the card issuer, which is the requester, and the operating system, which is the execution environment of the IC card. The zone ID is then returned to the card issuer as a return value. The configuration of the mutual authentication process differs depending on the specification of the IC card, which is not directly associated with the key feature of the present invention. Therefore, a detailed description thereof will not be given.

A similar polling procedure is also performed by a new service provider (i.e., a virtual card issuer) that has obtained a new file system through the splitting operation to obtain a zone ID uniquely belonging to the new service provider.

The card issuer issues a file system division request to the operating system of the IC card. The file system partition request requires the card issuer's zone ID and the partition package as arguments. Due to the use of the card issuer key K_IThe fragmented packets are encrypted so that third parties cannot tamper with the fragmented packets. Fig. 12 illustrates a process of sending a division request from a card issuer to an IC card. Fig. 13 illustrates a case in which the memory area of the IC card is divided and a new file system is generated. Using a contactless short-range communication interface based on electromagnetic induction or using a device such as UART 48 or I²C49 to perform communication between the card issuer and the IC card.

When the operating system of the IC card receives the division request, the division packet is delivered to the file system of the card issuer based on the area ID in the argument. Then using the card issuer key K_IThe fragmented packet is decrypted. Subsequently, the size (number of blocks) of the partition element package and the partition area is retrieved.

When the division factor package and the size of the division area are received from the file system of the card issuer, the operating system of the IC card uses the division authority key K_dDecrypting the split element package to retrieve the zone key K immediately following the split operation_Ii(issuer key of new service provider (i.e., virtual card issuer) using the area) and system code SC_i. The operating system then partitions the requested size of memory area from the card issuer's unused area. In addition, the operating system issues a distributor key K to the zone_IiAnd system code SC_iSettings are made to define the area as a new file system.

After this process of partitioning the file system is completed, the state is returned to the card issuer, who is the requestor of the partitioning operation.

Thus, the new service provider can obtain its own file system in the storage area of the IC card issued by the other card issuer. Therefore, the service provider can develop service business as if the service provider issued its own IC card, that is, the service provider is a virtual card issuer.

However, in an initial state immediately after the split operation, the issuer key K_IiAnd system code SC_iStill the issuer keys and system code set by the split engineering manager. That is, for a new service provider, some security settings for its own file system depend on the split engineering manager. Thus, new service providers cannot independently analyze, manage, and handle threats to security.

Therefore, after obtaining the file system in the storage area of the IC card, the new service provider is required to perform the operation for resetting the issuer key K_IiAnd system code SC_iThe process of (1). In addition, the issuer key K is reset_IiAnd system code SC_iThe size of the partition may be changed.

Fig. 14 illustrates that resetting the issuer key K is performed after a new service provider obtains the file system of the new service provider in the storage area of the IC card_IiAnd system code SC_iThe process of (1). Using a contactless short-range communication interface based on electromagnetic induction or using a device such as UART 48 or I²C49 to perform communication between the new service provider and the IC card.

The service provider performs polling on the operating system serving as the execution environment of the IC card to use the determined system code SC immediately after the division operation_iA zone ID request is issued as an argument to the file system.

When triggered by the request message, a mutual authentication process including a plurality of bidirectional communication operations is performed between the new service provider and the operating system, which is an execution environment of the IC card. The default zone ID assigned by the partition engineering manager during the partition process is then returned to the service provider as the return value for the request. The configuration of the mutual authentication process differs depending on the specification of the IC card, and is not directly associated with the key feature of the present invention. Therefore, a detailed description thereof will not be given.

After the mutual authentication process is completed, the service provider issues to the operating system of the IC card a change to the default issuer key K_IiIs requested to change. The key change request is performed using the default zone ID and the key change packet as arguments of the key change request. Due to the use of the default issuer key K_IiThe key change packet is encrypted so that a third party cannot tamper with the key change packet.

When the operating system of the IC card receives the key change request, the key change packet is transmitted to the file system of the service provider based on the area ID in the argument. Then using the card issuer key K_IiThe key change packet is decrypted. Thereby, the key change packet is retrieved. The card issuer key K for the file system is then keyed_IiChanging to card issuer Key K_Ii'. The status of the change operation is returned to the service provider, which is the requestor of the key change operation.

The service provider then issues a change of the default system code SC to the operating system of the IC card_iIs requested to change. The system code change request is executed using the default zone ID and the system code change packet as arguments of the system code change request. Due to the use of the new issuer key K_Ii' the system code change packet is encrypted so that a third party cannot tamper with the system code change packet.

When the operating system of the IC card receives the system code change request, the key change packet is transmitted to the file system of the service provider based on the area ID in the argument. Then using the card issuer key K_Ii' decrypt the system code change packet. Thus, the system code change packet is retrieved. Subsequently, the default system code SC of the file system is set_iChange to systematic code SC_i'. The status of the change operation is returned to the service provider, which is the requestor of the system code change operation.

Then, the service provider issues a change default zone ID to the operating system of the IC card_iIs requested to change. The system code change request is executed using the default zone ID and the zone ID change packet as arguments of the system code change request. Due to the use of the new issuer key K_Ii' the zone ID change packet is encrypted so that a third party cannot tamper with the system code change packet.

When the operating system of the IC card receives the area ID change request, the area ID change packet is transmitted to the file system of the service provider based on the area ID in the argument. Then using the card issuer key K_Ii' decrypt the zone ID change packet. Thereby, the precinct ID change packet is retrieved. Then, the default zone ID of the file system is identified_iChange to zone ID_i'. The status of the change operation is returned to the service provider, which is the requestor of the zone ID change operation.

Whereby a secure issuer key K is set by setting a file system_Ii' and System code SC_i' the new service provider can analyze, manage and handle the threat to security independently of the original card issuer.

As noted above, in the present embodiment, the storage area of the IC card is divided into a plurality of file systems (see fig. 15). A system code SC and a zone ID are set for each file system. In addition, the storage area can be used by using the issuer key K of the service provider (including the original card issuer) of the storage area_IiTo perform mutual authentication. Thus, the service provider to which the file system is assigned can analyze, manage, and handle threats to security independently of the original card issuer.

Further, when the service provider accesses the file system of the service provider, basically, a process including requesting a zone ID and mutual authentication needs to be performed. The service provider performs polling on the file system using a system code that the service provider has in the form of an argument to obtain a region ID of a storage region of the corresponding file system. Subsequently, the area ID and the issuer Key K are used_ITo perform mutual authentication. If the mutual authentication is successfully completed, the garment is allowedThe service provider accesses the file system.

In addition, each service provider (including the original card issuer) uses an issuer key K that is unique to the file system of the service provider_IA request command (e.g., a read request, a write request, a data delete request, or a zone/service registration request described below) is packetized and encrypted communication is performed using the packet (see fig. 16). Thus, different file systems cannot retrieve associated data, and third parties cannot read and write data to and from the file systems without permission.

By repeatedly performing the division operation on the storage area of the IC card, as shown in fig. 15, a plurality of file systems coexist. As described below, the original card issuer and the service provider who has obtained the file system of the service provider on the IC card under the permission of the card issuer can arrange areas and services using the file system to develop business plans.

The following describes the management in a file system. Basically, the same operation is applied to each file system. In order to operate on the file system, it is assumed that the above-described zone ID request and mutual authentication have been performed in advance.

In the file system, one or more applications are allocated, such as external electronic value exchange including electronic payment. The storage area allocated to an application is referred to as a "service storage area". Further, the use of an application, that is, an operation of accessing a service storage area corresponding to the application is referred to as "service". Examples of services include access to read from memory, access to write to memory, and addition and subtraction of value information (e.g., electronic money).

To restrict the user of an application, i.e. the activation of a service, depending on whether the user has access rights, a security code (i.e. a PIN) is assigned to the application. The PIN is checked at service initiation. In addition, access to the service storage area is protected with appropriate encrypted communications, depending on the security level of the application.

In the present embodiment, a hierarchical structure similar to a "directory" is introduced to each file system provided in the storage area of the IC card. Each application allocated in the storage area may be registered to a "zone" in the desired layer.

For example, a plurality of applications related to a series of transactions or a plurality of applications that are very related are registered to a service storage area in the same area (and also a plurality of applications that are very related are registered to the same parent area). Thus, applications in the storage area and the area are organized. The applications are then efficiently classified and organized for the user.

In addition, a PIN may be set for each application to control access to the file system in a hierarchical fashion. Further, a PIN may be set for each zone. For example, by inputting a PIN of a certain region, after successfully performing the verification process and the mutual authentication process, the user can obtain access rights of all applications in the region. Accordingly, since the user can obtain access rights of all applications related to a series of transactions by inputting the PIN of a certain field only once, efficient access control can be provided. Further, the ease of operation of the apparatus can be improved.

Further, a plurality of access rights may be set for a service storage area, and then a security code may be set for each right (i.e., for each service executed in the service storage area). For example, different PINs are set for a plurality of services (e.g., a "read" service and a "read and write" service) activated in the same service storage area. In another example, different PINs are set for the "increase" service and the "decrease" service of electronic money or other value information. Further, for some memory areas, the following settings may be made: for read operations, no PIN entry is required; however, for write operations, a PIN is required to be entered.

Fig. 17 is a schematic illustration of a data structure of a file system. In the example shown in fig. 17, a hierarchy similar to a "directory" is introduced to the memory space of the file system. That is, each application allocated to the storage area can be registered as a service storage area in a desired hierarchical area. For example, multiple applications that are very related (e.g., multiple applications for a series of transactions) may be registered to the same zone (and multiple zones that are very related may also be registered to the same parent zone).

Further, each of the application (i.e., the service storage area) and the area allocated to the file system has a security code definition block. Accordingly, a PIN may be set for each application or each zone. Furthermore, the access rights of the file system can be set application by application and zone by zone.

Further, instead of setting a right to the service storage area, a PIN may be set for each executed service. For example, different PINs are set for "read" and "read and write" services that are active for the same service storage area. Further, different PINs are set for the "increase" and "decrease" services of electronic money or other value information.

The verification unit will pass through a protocol interface (such as a contactless short-range communication interface based on electromagnetic induction or UART 48 or I)²C49) The transmitted PIN is compared with a security code set for a region assigned to each application or directory or a security code set for a service memory region so that access to the memory region having the same security code is permitted. The memory area to which access is allowed can be accessed through the protocol interface.

As described above, in the file system, various service storage areas allocated to a plurality of applications are allocated, and one or more services applicable to each service storage area are set. In the present embodiment, access restrictions are set zone by zone and application by application. Further, a PIN is set for the type of service applied to an application, so that access restrictions can be set on a service-by-service basis.

Fig. 18 illustrates a basic structure of a file system. As described with reference to fig. 17, a hierarchical structure similar to "directory" is introduced to each file system. The service storage area allocated to the application may be registered to an area in the desired layer. In the example shown in fig. 18, one service storage area is registered in the area 0000 defined by the area definition block 0000.

The service storage area in fig. 18 is composed of at least one user block. The term "user block" refers to the smallest unit of data for which an access operation is guaranteed. The service defined by the service 0108 definition block (i.e., service 0108) can be applied to the service storage area.

In addition to zone-by-zone and application-by-application access restrictions, by setting security codes for each type of service, access restrictions can be set on a service-by-service basis. The security code setting information of the service to which the access restriction is applied may be defined as a service (i.e., a security code service) specific to the security code. In the example shown in fig. 18, the security code of service 0108 is defined as the security code service 0128 definition block. Details of the security code service are stored in a security code service data block.

When the security code service of service 0108 is enabled, it is required that the security code is checked using security code service 0128 before service 0108 is activated and a read or write operation is performed on the user block of service 0108. More specifically, when an encrypted read/write command is used, the security code of service 0108 (i.e., the PIN of service 0108) is checked before performing mutual authentication.

Further, the service storage area allocated to the application may be registered in a zone in a desired layer, and the zone may be hierarchical (a plurality of zones that are highly related are registered in the same parent zone). In this case, by setting a PIN for each region, the region can serve as an access restriction unit. Fig. 19 illustrates a plurality of areas layered in the memory space of the IC card 50. In the example shown in fig. 19, a different area 1000 defined by an area 1000 definition block is registered in an area 0000 defined by an area 0000 definition block.

In the example shown in fig. 19, two service storage areas are also registered in the area 1000. The service 1108 defined by the service 1108 definition block and the service 110B defined by the service 110B definition block may be applied to one of the two service stores. As used herein, defining a plurality of different services for one service storage area is referred to as an "overlay service". In the overlapped service, different services are applied to the same service area according to the input PIN. Further, the service 110C defined by the service 110C definition block may be applied to the other of the two service storage areas.

After the service set in the service storage area is activated, a read or write operation may be performed on the user block of the service storage area. As described with reference to fig. 18, a security code service may be defined for each service. In this case, if the security code service of the service is activated, the service is allowed to be activated after completion of the PIN check using the security code service.

When a common PIN is required to be set for a plurality of services, a zone including the services may be generated and a common security code service may be applied to the zone.

In the example shown in fig. 19, the security code of the region 1000 is defined as a security code service 1020 definition block. Details of the security code service are stored in a security code service data block.

When the security code service of zone 1000 is enabled (as will be described further below), the security code is checked using security code service 1020. Then, each service in the area 1000 is activated. Thus, a read or write operation can be performed on a user block of a service.

Here, when the security code service is applied to the service in the area 1000 and enabled, a read or write operation cannot be performed on the user block of the service until the security code check using the security code service is completed.

As shown in fig. 18 and 19, a unique security code service and a security code check service corresponding to the zone are provided.

FIG. 20 illustrates, in flow chart form, a process for registering regions and services in a file system.

First, an area is defined in the memory space (step S1).

Subsequently, a service storage area for an application is allocated in this area using a registration service command of the service. Meanwhile, the service applied to the service storage area is defined (step S2). In the register service command, the number of user blocks in the service storage area is specified. If multiple applications are to be allocated in the zone, this step is repeated.

In order to apply the security code to the service defined in the area, the security code service is registered using the registration service command of the service (step S3).

The security code service is registered using the same registration service command as for the normal service. However, in order to register the security code service, the region and the service subjected to the security code check must have been registered. That is, if a zone and a service subjected to PIN verification are not found, an error may occur in performing a registration service for a security code service. Further, since the security code service has only one security code service data block (which corresponds to the user block of the general service), if a number of user blocks other than 1 is specified in the registration service command at the time of service registration, an error occurs.

Further, in order to set a security code common to all services defined in the area, a registration service order of the service is used to register a public security code service for the area (step S4).

Note that the processing in step S4 may be performed before the processing in step S3 is performed.

Further, in order to define a plurality of different services for one service storage area, an overlapping service (see fig. 19) is registered using a registration service command of the service (step S5).

Further, in order to apply the security code to the overlapped service, the security code service is registered using the registration service command of the service (step S6).

In the example shown in fig. 18, after a service storage area is allocated in the root area 0000 and a service 0108 applied to the service storage area is registered, a security code service applied to the service 0108 is registered.

Further, in the example shown in fig. 19, two service memory areas are allocated in the area 1000 under the root area 0000. Further, services 1108 and 110C, which are applied to the two service storage areas, respectively, are registered. Further, a different service 110B is registered in one of the plurality of service storage areas as an overlapping service. Although not shown, if it is required to apply a security code to the service storage area, the security code service is independently registered. Further, if application of a public security code to the registered services 1108, 110B, and 110C is required, a public security code service is registered in the area 1000.

When a service provider (including an original card issuer) wants to register a region and a service in a file system assigned to the service provider, the service provider issues a region registration request and a service registration request to an operating system that provides an execution environment of an IC card. Since the issuer key K of the file system uniquely belonging to the provider is being used_IThe registration requests are sent using encrypted communications after being packaged (see fig. 16), so that a third party cannot read and write data to and from the file system without permission.

Fig. 21 illustrates a procedure for registering a region in the file system of a service provider (including an original card issuer) performed by the service provider in step S1 shown in fig. 20. Using a contactless short-range communication interface based on electromagnetic induction or using a device such as UART 48 or I²C49 to perform communication between the service provider and the IC card.

The service provider performs polling of the operating system serving as the execution environment of the IC card and issues a region ID request to the file system using the system code SC of the file system as an argument.

When triggered by the request message, a mutual authentication process including a plurality of bidirectional communication operations is performed between the service provider and the operating system, which is an execution environment of the IC card. Then, a zone ID is returned to the service provider as a return value. The configuration of the mutual authentication process differs depending on the specification of the IC card, which is not directly associated with the key feature of the present invention. Therefore, a detailed description thereof will not be given.

After the mutual authentication process is completed, the service provider issues a region registration request to register a region in the file system to the operating system of the IC card. The area registration request is executed using the area ID and the area registration request packet as arguments of the area registration request. Due to the use of the service provider's issuer key K_IThe area registration request packet is encrypted, so that a third party cannot tamper with the area registration request packet.

When the operating system of the IC card receives the area registration request, the area registration request packet is transmitted to the file system of the service provider based on the area ID in the argument. And then uses the service provider's card issuer key K_IThe area registration request packet is decrypted. Thereby, the area registration request packet is retrieved. Subsequently, the area requested in the package is registered in the file system. The status of the registration operation is returned to the service provider (who is the requestor of the registration operation).

Fig. 22 illustrates a process performed by a service provider (including an original card issuer) in step S2 shown in fig. 20 for registering a service in the file system (or a specific area registered in the file system) of the service provider. Using a contactless short-range communication interface based on electromagnetic induction or using a device such as UART 48 or I²C49 to perform communication between the service provider and the IC card.

The service provider performs polling of the operating system serving as the execution environment of the IC card and issues a region ID request to the file system using the system code SC of the file system as an argument.

When triggered by the request message, a mutual authentication process including a plurality of bidirectional communication operations is performed between the service provider and the operating system, which is an execution environment of the IC card. Then, a zone ID is returned to the service provider as a return value. The configuration of the mutual authentication process differs depending on the specification of the IC card, which is not directly associated with the key feature of the present invention. Therefore, a detailed description thereof will not be given.

After the mutual authentication process is completed, the service provider issues a service registration request to the operating system of the IC card to register a service in the file system (or a specific area registered in the file system). The service registration request is executed using the area ID and the service registration request packet as arguments of the service registration request. Due to the use of the service provider's issuer key K_IThe service registration request packet is encrypted so that a third party cannot tamper with the service registration request packet.

When the operating system of the IC card receives the service registration request, the service registration request packet is transmitted to the file system of the service provider based on the area ID in the argument. And then uses the service provider's card issuer key K_IThe service registration request packet is decrypted. Thereby, the service registration request packet is retrieved. Subsequently, the service requested in the package is registered in the file system (or a specific area registered in the file system). The status of the registration operation is returned to the service provider (who is the requestor of the registration operation).

As shown in fig. 18 and 19, access control can be performed zone by zone or service by applying a PIN to a zone or service registered in the file system. Further, when a plurality of services (overlapped services) are registered in one service storage area, by applying a PIN to each service, a plurality of access methods can be defined for the same service storage area.

However, in this embodiment, when accessing file access, mutual authentication (as described above) using the issuer key is necessary, and PIN verification processing is optional. That is, security code checking is required before a service or access zone is initiated only if the security code service of the service or zone is enabled. In contrast, when the security code service is disabled, no security code check is required.

Details of the PIN are written into a security code service data block of the security code service definition block. Fig. 23 is a schematic illustration of a data structure of a security code service data block. As shown in fig. 23, the security code service data block includes a security code area, a storage area for the number of failed authentication attempts, a setting area for the maximum permitted number of failed authentication attempts, a security code use selection area, and an access permission flag.

Only if the PIN entered by the user is successfully verified, the access permission flag in the security code service data block of the corresponding service or zone is set so that access to the service or zone is allowed.

The access permission flag is a flag indicating whether to allow access to the corresponding application or directory. The service or area to which the access permission flag is set is accessible. By default, the access permission flag for the service or zone for which the PIN is required is set to "inaccessible". After the PIN checking operation and the mutual authentication operation using the issuer key of the file system are successfully performed, the access permission flag is set so that access is allowed. Further, if the access permission flag is continuously set and the IC card is lost or stolen, the user may suffer a monetary loss due to unauthorized use of the service or area. Therefore, the IC card may have the following features: the IC card automatically changes from the accessible state to the inaccessible state in response to, for example, the absence of electromagnetic waves.

Further, when an illegal PIN is input, the number of authentication attempt failures is updated. If the number of authentication attempt failures exceeds the maximum allowable authentication attempt failure number set in the setting area of the maximum allowable authentication attempt failure number, the corresponding service is prohibited from being started or the corresponding area is prohibited from being accessed.

Typically, once the PIN is successfully entered, the number of authentication attempt failures should be cleared. Thereby preventing malicious users from constantly trying security codes. If the number of times the user inputs the PIN unexpectedly exceeds the maximum allowable authentication attempt failure number and the verification fails, only the administrator of the IC card (for example, a division engineering administrator or an original card issuer) can clear the authentication attempt failure number. For authentication of the administrator, for example, the following authentication using a private key can be employed.

Fig. 24 illustrates in flow chart form a process for controlling the initiation of a service or access to a zone in accordance with a security code entered from a user.

When the user inputs the security code (step S11), the security code service data block of the security code service definition block is accessed to check the security code (step S12).

If the PIN in the security code service data block is the same as the PIN input by the user, an access permission flag in the security code service data block is set so that the corresponding service or area becomes accessible (step S13).

For example, by placing an IC chip above a reader/writer, a PIN input through a user interface of an external device (not shown) connected to the reader/writer can be transmitted to the IC card using a non-contact short-range communication interface based on electromagnetic induction.

As shown in fig. 24, when using a PIN to control access to applications and directories, a malicious user can crack the security wall by continuously trying the PIN (especially in the case of using short digits as a security code). Therefore, in the present embodiment, the maximum allowable authentication attempt failure number is set in the security code definition area so that an application or a directory in which the authentication attempt failure number exceeds the maximum allowable authentication attempt failure number becomes inaccessible. Thereby, access control is provided.

Fig. 25 illustrates, in flow chart form, a process for controlling access rights to services and zones using the number of authentication attempt failures.

When the user inputs the PIN (step S21), each security code service definition block is accessed to check the PIN (step S22).

If the PIN input by the user is the same as the PIN in the security code service definition block, an access permission flag in the security code service data block is set so that the corresponding service or area becomes accessible (step S23).

However, if the PIN input by the user is not identical to the PINs in all the security code service definition blocks, the number of failed authentication attempts in the security code definition area is updated (step S24). Further, if the PIN input by the user is the same as the PINs in all the security code service definition blocks and authentication is successful, the number of authentication attempt failures is cleared.

At step S25, it is determined whether the updated authentication attempt failure number exceeds the maximum allowable authentication attempt failure number set in the security code definition area (step S25).

If the number of authentication attempt failures exceeds the maximum allowed number of authentication attempt failures, the access permission flag in the security code definition area is cleared. Thereby, the corresponding service or area becomes inaccessible (step S26). As a result, malicious users are prevented from constantly trying the PIN.

In contrast, if the number of times the user inputs the PIN unexpectedly exceeds the maximum allowable authentication attempt failure number and the verification of the security code fails, only the administrator of the IC card (e.g., a division engineering administrator or an original card issuer) can clear the authentication attempt failure number. For authentication of the administrator, for example, authentication using a private key may be employed.

Industrial applicability

While the invention has been shown and described with reference to certain embodiments, it will be apparent to those skilled in the art that alternative embodiments may be made without departing from the spirit and scope of the invention as defined by the appended claims.

Although the embodiment of the present invention has been described with reference to the information management method of the memory area incorporated in the IC card, the present invention is not limited thereto. The present invention is applicable to a method of managing memories incorporated in devices other than an IC card in the same manner.

That is, the foregoing description of the preferred embodiments of the invention has been presented for purposes of illustration and description only and is not intended to be exhaustive or to limit the invention to the precise forms disclosed. The scope of the invention should, therefore, be determined only by the following claims.

Claims (12)

1. A data communication device incorporating an IC chip including a card function simulation circuit and a data processing unit coupled to the card function simulation circuit, the data processing unit having a memory space, the data communication device managing the memory space by dividing the memory space into one or more file systems, wherein the data processing unit further includes:

control means for maintaining a split-rights key and managing access to the file system in the memory space; and

a first file system in the memory space allocated to a first service provider, the first file system maintaining an issuer key of the first service provider;

wherein, when a division package generated by encrypting a data block containing a division element package generated by encrypting an issuer key of a second service provider using the division authority key and information on a new file system is received from the second service provider requesting allocation of a new file system, the first file system decrypts the received division package using the issuer key of the first service provider and retrieves the division element package and the information on the new file system, and wherein the control means decrypts the division element package using the division authority key, retrieves an issuer key of the second service provider, divides a free area of the memory space according to the information on the new file system, and allocating the partitioned storage area to a second file system holding an issuer key of the second service provider.

2. The data communication apparatus according to claim 1, wherein each of the plurality of file systems in the memory space has region identification information, and wherein the control means, when receiving the region identification information on the file system to be accessed and the external access of the package encrypted by using the issuer key of the file system in the form of an argument having the external access, transfers the package to the corresponding file system based on the region identification information, and wherein the file system decrypts the package using the issuer key of the file system.

3. The data communication device according to claim 2, wherein each of the allocated plurality of file systems in the memory space has a system code, and wherein the control means sets the system code of the file system together with the issuer code and the region identification information when a new file system is divided in response to the reception of the division package.

4. The data communication device according to claim 3, wherein when the service provider issues a request for obtaining the area identification information using the system code of the service provider as an argument of the request after obtaining the file system, the control means performs polling on each of the plurality of file systems based on the system code in the request to obtain the area identification information from the corresponding file system and return the obtained area identification information to the requester.

5. The data communication apparatus according to claim 3, wherein the control means rewrites the issuer key and the system code set in the second file system at the time of the division in response to a request from the second service provider after the second service provider obtains the file system.

6. The data communication apparatus according to claim 1, wherein each of the plurality of file systems in the memory space has region identification information, and wherein when external access having an argument form of external access and an access request to the file system encrypted by using the issuer key of the service provider is received from the service provider after the service provider has obtained the file system, the control means transfers the encrypted packet to the corresponding file system based on the region identification information.

7. A method for managing memory of a data communication device having a memory space and managing the memory space by dividing the memory space into one or more file systems, wherein a division right key for authenticating the right to divide the file system and a first file system for authenticating access rights using an issuer key of a first service provider are provided in the memory space, the method comprising the steps of:

receiving, from a second service provider that requests allocation of a new file system, a division package generated by encrypting a data block containing a division element package generated by encrypting an issuer key of the second service provider using the division authority key and information on the new file system, using an issuer key of the first service provider;

decrypting the received split-factor package using an issuer key of the first service provider and retrieving the split-factor package and the information about the new file system; and

decrypting the split key package using the split authority key, retrieving an issuer key of the second service provider, splitting the free area of the memory space based on the information about the new file system, and assigning the split storage area to a second file system holding the issuer key of the second service provider.

8. The method for managing memory of a data communication device according to claim 7, wherein each of the plurality of file systems in the memory space has region identification information, and wherein the external access includes the region identification information on the file system to be accessed in the form of an argument and a package encrypted by using the issuer key of the file system, and wherein the method further comprises the steps of: receiving an external access request to the file system with region identification information and a package as arguments of the external access request, transferring the package to a corresponding file system based on the region identification information, and decrypting the package by the file system using the issuer key of the file system.

9. A method for managing memory of a data communication device as recited in claim 8, wherein each of the allocated plurality of file systems in the memory space has system code, and wherein the method further comprises the steps of: setting the system code of the file system together with the issuer code and the region identification information when a new file system is divided in response to the reception of the division package.

10. The method for managing memory of a data communication device of claim 9, further comprising the steps of:

issuing a request for obtaining area identification information using the system code of the service provider as an argument of the request from the service provider after the file system is obtained; and

polling is performed on each of the plurality of file systems based on the system code in the request to request that the region identification information be obtained from the corresponding file system and returned to the requestor.

11. The method for managing memory of a data communication device of claim 9, further comprising the steps of: after the second service provider obtains the file system of the second service provider in the memory space, a request for rewriting the issuer key and the system code set in the second file system at the time of the division is issued from the second service provider, and the issuer key and the system code set in the second file system at the time of the division are rewritten in response to the rewriting request.

12. The method for managing memory of a data communication device of claim 7 wherein each of the plurality of file systems in the memory space has region identification information, and wherein the method further comprises the steps of: receiving, from the service provider, an access request including the region identification information in the form of an argument of the access request and an access request for the file system of the service provider encrypted by using the issuer key of the service provider after the file system has been obtained by the service provider; and transmitting the package to a corresponding file system based on the zone identification information included in the argument of the access request from the service provider.