JP3173522B2 - Program processing device for IC card - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a program processing apparatus, such as an IC card or an IC card program development device, which can be translated into a machine language format stored in a programmable nonvolatile memory in the IC card. About.

[0002]

2. Description of the Related Art In recent years, applications using IC cards have begun to operate gradually, but a problem common to these systems is that the entire process takes too long. The cause of this problem will be described below with reference to the drawings, taking as an example a case where a prepaid application such as a telephone card is constructed. In the following description, an H8 / 31 manufactured by Hitachi, Ltd. is used as an MPU (microprocessor) of an IC card.
0 (8-bit MPU with built-in EEPROM) is assumed.

However, the memory space of the ROM is $ 000.
0 to 27FF ($ indicates a hexadecimal number; the same applies hereinafter), and the EEPROM is $ 6000 to 7F.
RAM is assigned to the address of FF, and
Assigned to the address of the FBF.

[0004] Table 1 shows an example of a memory layout showing memory addresses and corresponding storage data when the application is realized.

[0005]

[Table 1]

Here, the system program is an IC
Indicates the operation program of the card. The reserve section represents an unused area. The application ID represents 20-byte data used for confirming the validity of the card.

The balance represents 2-byte balance data represented by an unsigned binary value indicating a value of 0 to 65535. The work area represents a work area used in the system, such as a buffer or a stack.

[0010] Table 2 shows a sequence 1 as an example showing an outline of the processing sequence on the terminal side for realizing the application in the order of steps.

[0009]

[Table 2]

[0010] Here, the commands provided in the card are COMPARE, READ and WRITE.
A general-purpose, single-function command E is assumed.

Here, COMPARE is L1 byte data stored from address A1 in the card,
L1 byte data D1 carried by this command
And outputs the result by the status T1. Note that status = $ 00 indicates that the processing has been completed normally, and $ FF indicates that the processing has been abnormally completed.

READ is a command for outputting L2 byte data D2 stored from address A2 in the card. WRITE transfers the L3 byte data D3 carried by this command to the address A3 in the card.
This is the command to be stored.

In a device having a full-duplex communication function, communication processing and command processing can be executed to some extent in parallel, so that communication processing generally does not significantly affect the total processing time. However, since the IC card has to adopt a single processing method due to resource problems, the time T required for the entire processing is the sum of the time T _prc required for command processing and the time T _com required for communication. Is defined by

In this example, T _prc is COMPARE
Time required for processing T _C and time required for READ processing _Tr
And the time T _W required for the WRITE process.

[0015] Thus, the processing time T _prc commands basically division ratio or the MPU such instruction system performance, the access time of the nonvolatile memory incorporated, and depending on the drive frequency f _S and supplies the terminal It has personality and basic improvements cannot be made on the card side. For this reason,
The command processing time _Tprc is constant when viewed from the card side.

On the other hand, T _com is T _com = T1 + nT
_Z (where T1 indicates the time required for transmission of all characters excluding a header and a trailer described later), n indicates the number of communication messages (= [number of commands] + [number of responses]), and T
_Z is at least 4 attached to each command / response specified in the international standard (IS 7816-3) for IC cards.
Indicates the time required for transmission of the byte transmission control header and trailer. same as below. ).

T1 is basically the time required for transmission of non-deletable data, in this embodiment, the application ID and the amount of money, and depends on the transmission speed and the amount of transmitted information.
However, since the amount of information transmitted from an IC card is not so large, the effect of compressing the amount of transmission is extremely low.

If the transmission character is composed of 1 bit of start, 8 bits of data, 1 bit of vertical parity, and 1 bit of stop, T
_Z indicates T _Z = 44 (F / (fs · D)) (where F indicates the transmission control parameter (1), D indicates the transmission control parameter (2), f _S indicates the drive frequency, and so on. .)
Bend. Therefore, T _com is approximately T _com = T1
Is a + n (44 (F / ( f S · D))).

To reduce the processing time T in this case,
The communication time T _com may be reduced. However, since F, D, and f _S that define the transmission rate are fixed here, their values depend only on the amount of transmission information.

However, in the case of the IC card, as in the case of T1, the amount of information to be transmitted is not originally large, so that the effect of compressing the amount of transmission is extremely low. Therefore, T _com approximately depends only on the number n of command / response exchanges.

Next, consider the command / response exchange count n. As is clear from the sequence 1, in the case of the card having only the single function command, n = 6 times (S21, 22, 41, 42, 61,
Since the command / response block of 62) is exchanged, the communication time T _com1 is T _com1 = T1
Tasu264 is defined as _{(F / (f S · D} )).

However, by mounting a high function command such as COM_ALL on the card, Sequence 1 can be simplified as Sequence 2 in (Table 3).

However, COM_ALL compares the L1 byte data stored from the address A1 in the card with the L1 byte data D1 carried by this command. The L2 byte data D2 stored from the address A2 is compared with the L2 byte data D3 conveyed by this command. Only when D2 ≧ D3, the L2 byte data [D2-D3] is stored in the card. From the address A2. This command outputs the processing result (T1) and [D2-D3] as a response.

[0024]

[Table 3]

As described above, if a series of processes can be executed by a single command / response exchange, the communication blocks become S31 and S32, and the number n of communication blocks can be set to 2. The communication time T _com is T _com
Until 2 = T1 + 88 (F / (f S · D)) can be reduced.

However, it is extremely difficult to design such a high-function command unless the actual application is clarified. In practice, a system program, which is software of the IC card itself, is determined by the manufacturer when the application is determined. Because of the necessity of changing, it was pointed out that the delivery date or cost did not meet the market requirements.

In order to solve such a problem, a user program is stored in a programmable non-volatile memory, and the card receives a start command (including use data) of the program, thereby allowing the program to be stored in the program. A method of executing a series of processes described in (1) and returning a result including a process status (including data in some cases) as a response "has been studied.

[0028]

The above-mentioned method solves the above-mentioned problem by "creating and registering a program for executing each application most efficiently for each user". The following two methods are being studied as specific methods.

Method 1 is a method in which a user program is stored in a non-volatile memory in a machine language format, as found in JP-B-63-25393, "Portable Data Carrier for Storing and Processing Data". Method 2 is disclosed in Japanese Patent Application No. 59-176329 “IC card” of the present applicant.
In this method, a user program is stored in a non-volatile memory in an intermediate language format, and is sequentially translated and executed by an MPU in the card.

However, these methods have the following disadvantages, and have not been put to practical use yet. Method 1
Is because the user program is written in machine language format,
Although it is excellent in processing speed and capacity of the program itself, on the other hand, since the user program is in the object format, there is a danger that a "routine for illegally falsifying or falsifying data in the card" is incorporated therein. . Here, the danger will be described by describing an example of the unauthorized routine in the above application. Here, for convenience of explanation, the reserve section 4 of the sequence 1 is used as a storage area for a user program in a machine language format.

The following is an example of a virus program that "changes part of the application ID illegally".

[0032]

[Table 4]

However, S100 sets $ FFFF in the 16-bit register R0, S110 sets the RAM address $ FEC0 in the 16-bit register R5, and S120 sets the contents of R0 in the RAM indicated by R5. Copy to the address of the area, S130 sets the EEPROM address $ 6000 in the 16-bit register R6, S140 sets the write data length 2 in the 8-bit register R4L, and S150 stores the write data length in the memory indicated by R5. The stored R4L byte data is EEPRO
Write to address R6 of M (data $ FFFF is $ 600
(Written from address 0).

When this program is stored in a card by a fraudulent person, each time an execution command (hereinafter abbreviated as EXECUTE) of the program is issued, the above virus program is executed, and the purpose of the fraudulent person is Is achieved. In an actual virus program, there is a process for making a response or the like identical to that executed by a legitimate program, but is omitted here.

The method 2 is designed to solve such a security problem. In this method,
Since the user program is stored in the intermediate language format and can be translated and executed at runtime, if a user program containing illegal processing is detected,
There is an advantage that it is theoretically possible to interrupt or stop the processing. However, there has been a problem that it is difficult to realize the MPU since an MPU having the capability to realize the method has not been released at this stage.

According to the present invention, means for detecting and removing a "virus program" which is a factor of the security threat related to the method 1 at the time of translation, and generating information for detecting a virus program developed by an unauthorized device are generated. The above problem is solved by providing the means.

[0037]

According to a first aspect of the present invention, there is provided a program processing device for an IC card, comprising a programmable non-volatile memory, and a processing device for executing a program command stored in the non-volatile memory. The program processing device for an IC card includes at least a first means for translating a program in a language other than a machine language into a machine language program, and a second means for storing position identification information of secret information in the IC card And the first means refers to the position specifying information of the second means and translates a program in a language other than a machine language, and when a reference / change instruction to confidential information is found in the translated content, This is a program processing device for an IC card in which the translation is interrupted or stopped.

Here, the programmable non-volatile memory may be a ROM having a backup power supply or an EPROM. The language other than the machine language is not limited to an intermediate language such as an assembler, but also includes a high-level language such as C. At least one
The arithmetic processing taking into account the two secret parameters is not limited to the reference / instruction information corresponding to the secret information, and may include indirect information such as the address thereof.

According to a second aspect of the present invention, there is provided the program processing device for an IC card according to the first aspect, wherein the second means comprises an IC card. In this case, I
The location identification information of the secret information in the C card is not the main body of the program processing device for the IC card, but the IC connected thereto.
Since the card is held, there is a meaning that security is improved. However, when the capacity of the memory in the IC card is limited, the position specifying information may be provided outside the IC card program processing device.

According to a third aspect of the present invention, there is provided an IC card program processing device comprising a programmable non-volatile memory and a processing device for executing a program command stored in the non-volatile memory. The processing device includes at least a first unit for translating a program in a language other than a machine language into a machine language program, a second unit for storing position identification information of secret information in an IC card, and an output after translation And a third means for performing an arithmetic operation on at least one secret parameter with respect to a part or the whole of the program, and changing the operation result into a machine language in a format attached to the translation content. The first means translates a program in a language other than the machine language with reference to the position specifying information of the second means, and the third means attaches an operation result to the translated content. And a program processing apparatus for the IC card to change the machine language format. Here, the programmable non-volatile memory is a ROM having a backup power supply.
However, an EPROM may be used. The language other than the machine language is not limited to an intermediate language such as an assembler, but also includes a high-level language such as C. The arithmetic processing taking into account at least one secret parameter is not limited to reference / instruction information corresponding to secret information, and may include indirect information such as its address.

[0041]

A fourth aspect of the present invention is the program processing device according to the third aspect, wherein the second means is constituted by an IC card.

A fifth aspect of the present invention is the program processing device according to the third or fourth aspect, wherein the third means is constituted by an IC card.

[0044]

As described above, since it is possible to automatically detect whether or not an application is a virus program at the time of translation and to eliminate it, the application can be safely processed in machine language as it is. .

[0045]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Taking the prepaid application described above as an example, its components and processing will be described below with reference to the drawings.

FIG. 1 shows an example of a program development device which is a kind of a program processing device, and includes a storage device 1000 composed of a semiconductor memory or the like and a C connected to the device.
It consists of PU2000. The storage device 1000
The inside is divided into a program storage area 1100 and a data storage area 1200, and the CPU performs processing according to a program stored in a storage medium.

In the program storage area 1100,
A translation program 1110 for translating a source program such as an assembler that is not a machine language into a machine language, and a change program 1120 for converting the machine language program into a download format are stored. The data storage area 1200 includes a source program storage area 1210, an object program storage area 1220, a download program storage area 1230, and a secret information storage area 1240.
Inside, a secret information position 1241 in the card and a secret code 1242 are stored.

FIG. 2 shows the functional relationship between the program and data. Translation program 1110
Translates the source program stored in the source program storage area 1210 with reference to the secret information position 1241, and outputs the result to the object program storage area 1220.

The change program 1120 performs an arithmetic process on the object program in consideration of the secret code 1242, and outputs the result (CER) to the download program storage area 1230 in a format attached to the object program. .

FIG. 3 shows an example of a storage format of a source, an object, and a download program in this embodiment. The source program is stored in the source program storage area 1210 in a file format. Each instruction logically separated by Sp (separator) such as CR (carriage return) is stored as a record (S (n)), and is referred to by its number (n = 0, 1, 2,...). Is done. Also, a code EOF (end of file) for end detection is added to the last record.

The object program is stored in a file format in the object program storage area 1220. Records logically separated by Sp (T (n))
Are referenced by their numbers (n = 0, 1, 2,...). The number of records i is added to the head of the file, and the STS indicating the result of the translation processing is added to the end.

The download program is stored in the download program storage area 1230 in a format similar to the object program. However, the end is S
The validity code CER is added instead of the TS.

Next, the operation of the translation program will be described with reference to FIG. Here, for simplicity of description, only processing for detecting a virus program that "handles a secret information position as an immediate value and illegally writes in a nonvolatile memory" will be described. Here, a one-pass type translation program is assumed.

[0054]

[Table 5]

After the above processing is completed, the CPU 2000
Is read, and if STS = $ 00, the change program is started; otherwise, the process is interrupted or stopped to prevent the virus program from being mixed.

Next, a method for preventing a fraudulent person from creating a virus program and injecting it into a card using a program development device other than the present device will be described.

FIG. 5 shows an example of generating a validity confirmation code (CER) that enables such a fraud to be detected on the card side.

[0058]

[Table 6]

The present invention is constituted by transferring the download program generated by the above processing to the IC card, checking the CER in the card, and storing T (n) only when the card is normal.

By using the present apparatus, it is possible to use a user program started by EXECUTE as described in the machine language (Table 7), so that the method 1 described above can be realized. Becomes

[0061]

[Table 7]

The outline of this user program is described in S100
To 200 are the applications I stored in the card.
D and data D1 are compared, and if they are the same, S2
00, and otherwise set $ FE (assumed to be a collation error) in R4L and then branch to S330. In steps S210 to S280, D2 and D3 are compared, and D2 ≧ D3. If so, set D2-D3 to R3 and then go to S280, otherwise R4L
After setting $ FF (the balance was insufficient) to S330
In steps S290 to S340, R
3 is written to $ 6100, and the result is written to $ FE
Registered in C2, @ FEC3. After that, 3 is added to R4H,
In the process of setting $ 00 to L and branching to S340,
S350 is a process of setting 1 to R4H.
Sets the content (output length) of R4H to $ FEC0,
R4L contents (processing status) to $ FEC1, R3
Contents (updated balance) of $ FEC2 and $ FEC
3 is a process of storing each.

In such an environment, the above prepaid application can be easily processed as shown in Sequence 3 in (Table 8).

[0064]

[Table 8]

It compares the 20-byte data stored from the address $ 6000 in the card with the 20-byte data D1 carried by this command,
If they are the same, the address in the card is $ 6100
Is compared with the 2-byte data D3 carried by this command,
Only when D2 ≧ D3, 2-byte data [D2
-D3] is stored from address # 6100 in the card. The processing result (T1) and [D2-D3] are output as a response.

The received data D1 has the address $ FEC
0, and the data D3 are stored in $ FED4 ~. The transmission data has an output length within $ FEC0,
The actual transmission data is stored in FEC1.

In the sequence 3, the communication time T _com can be reduced to T _com 2 = T1 + 88 (F / (f _S · D)). Further, since the transmission information amount itself is also reduced, the effect is large.

As a result of the above, an example of translating an unauthorized program when the above-mentioned example of a virus program is processed will be described.

[0069]

[Table 9]

As is clear from the above, the malicious program described above is judged as a malicious program at the time of translation of S (5) because AS matches D (0) and AE matches D (1). You.

The communication time T _com has a large effect because the amount of transmitted information itself is also reduced.

The functions for generating the validity confirmation code are DES and FEA which are public encryption functions in a symmetric key format.
L or RS which is a public encryption function of a symmetric key format.
It is desirable to use a cryptographic function with high security strength such as A.

[0073]

In the present embodiment, an example is described in which the secret information and the change processing are on the development device side. However, by storing them in a physically secure IC card in a machine language format,
Further, the security of the system can be enhanced, and at the same time, the processing speed has been increased because of the object format.

[0074]

[Brief description of the drawings]

FIG. 1 is a configuration example of a development device according to an embodiment of the present invention.

FIG. 2 is a system flow of a development device according to an embodiment of the present invention.

FIG. 3 is a format of a file used according to an embodiment of the present invention.

FIG. 4 is a flowchart of a translation program according to an embodiment of the present invention.

FIG. 5 is a flowchart of a change program according to an embodiment of the present invention.

[Explanation of symbols]

 1000 storage device 1100 program storage area 1110 translation program 1120 change program 1200 data storage area 1210 source program storage area 1220 object program storage area 1230 download program storage area 1240 secret information storage area 1241 secret information location 1242 secret code 2000 CPU

Claims (5)

(57) [Claims] 1. An IC card program processing device comprising a programmable non-volatile memory and a processing device for executing a program command stored in the non-volatile memory, wherein the IC card program processing device comprises: At least first means for translating a program in a language other than a machine language into a machine language program, and second means for storing position identification information of secret information in an IC card, wherein the first means Translates a program in a language other than the machine language with reference to the position specifying information of the second means, and includes a reference to the secret information in the translated content.
An IC card program processing device for interrupting or stopping translation when a change instruction is found. 2. The IC card program processing device according to claim 1, wherein said second means comprises an IC card. 3. An IC card program processing device comprising: a programmable non-volatile memory; and a processing device for executing a program command stored in the non-volatile memory. At least a first means for translating a program in a language other than a machine language into a machine language program, a second means for storing position identification information of secret information in an IC card, and a Third means for performing an arithmetic processing on at least one part of the secret parameters in consideration of at least one secret parameter, and changing the arithmetic result into a machine language in a format attached to the translation content; The first means translates a program in a language other than the machine language with reference to the position specifying information of the second means, and the third means translates the operation result into the translated content. Format of the IC card program processing apparatus to change into machine language marked with. 4. The IC card program processing device according to claim 3, wherein said second means comprises an IC card. 5. The IC card program processing device according to claim 3, wherein said third means is constituted by an IC card.