JP2004185348A - Program correction method and its implementation IC card - Google Patents

Abstract

To modify a program of an IC card, a large number of IC cards are issued to prevent a user or a third party from referring to the program code or rewriting the program code with an illegal program code. All had to be collected and all the IC card programs stored in the IC card had to be corrected.
An IC card program can be modified without having to collect and manage the IC card by providing the IC card with a means for decoding program modification information and a means for managing history information of modification information. . In addition, by providing a means for verifying the program code and a means for controlling the execution of the IC card and making the IC card unusable, the unauthorized alteration of the program code is detected, and the unauthorized use of the IC card is prevented. Can be prevented.
[Selection diagram] Fig. 1

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a technique for modifying a program stored in a general-purpose storage medium such as an IC card.
[0002]
[Prior art]
The IC card is not a medium for writing data, such as a memory card, but includes a CPU and can execute a program code stored in the memory. Generally, a program executed in the IC card (IC card program) is generally stored in a memory provided in the IC card, in particular, a non-writable nonvolatile memory such as a ROM. There is also a method of storing necessary program codes in a writable nonvolatile memory such as an EEPROM as disclosed in Japanese Patent Application Laid-Open No. 07-210642.
[0003]
[Patent Document 1]
JP-A-07-210642
[Problems to be solved by the invention]
If there is an error in the IC card program, it is necessary to change the program code, and it is necessary to collect tens or hundreds of thousands of issued IC cards. In the case of an IC card in which a plurality of application programs can be mounted, some of them can dynamically load and delete the application programs. Therefore, after deleting the application programs, reload the corrected application programs. It is possible. However, once the program code is stored in the ROM, the IC card program stored in the ROM cannot be changed later, so the IC card must be reissued.
[0005]
Further, as described in the related art, it is conceivable that the necessary program code is stored in a writable nonvolatile memory such as an EEPROM. It was necessary to prevent the third party including the card user from referring to the corrected program code, and the IC card had to be collected.
[0006]
A first object of the present invention is to automatically correct an IC card program that needs to be corrected without collecting the IC card from a user. Further, when an error in the IC card program is found many times, it is conceivable that the correction content is updated each time. Therefore, means for preventing the corrected content from being overwritten with the old correction content is also required.
[0007]
A second object of the present invention is to prevent an illegal program code from being executed if an IC card program is rewritten by an illegal program code.
[0008]
[Means for Solving the Problems]
In order to achieve the first object, a function for decoding program modification information, a function for storing a modified program code, information for managing a history of modification of an IC card program, and necessary program modification information are provided. A function of judging from history information is provided in the IC card.
[0009]
In order to achieve the second object, a function for verifying the validity of the corrected program code and a function for stopping the IC card in the event that the program code is rewritten by an illegal program code are provided.
[0010]
BEST MODE FOR CARRYING OUT THE INVENTION
In general, an IC card has an IC chip mounted thereon, and the IC chip for the IC card usually includes a CPU and three types of memories. This memory is typically a non-rewritable non-volatile memory such as a ROM (Read Only Memory), a rewritable non-volatile memory such as an EEPROM (Electrically Erasable and Programmable Read Only Memory), and a rewritable memory such as a RAM (Random Access Memory). It is well known that it is composed of a volatile memory. It is also known that an IC card exchanges information with an external device such as a portable terminal or a personal computer (PC) by means of a command and a command response via a device usually called an IC card reader / writer. It is also known that the data passed to the card by the command is called command data, and that the command passed by the card as a command processing result includes response data and a response code.
[0011]
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
[0012]
FIG. 1 is a configuration diagram of the present invention. The IC card (0100) includes a ROM (0104) and an EEPROM (0102). The IC card (0100) and the external device (0120) include a data transmitting / receiving unit (0118) and an IC card interface unit (132), respectively. To exchange information. The IC card (0100) includes an encryption control unit (0116) for decrypting the encrypted data, and a decrypted data of the encrypted program modification information (0112) in a program modification information storage area (0122). ), And a jump table (0130) for branching to a program code group (0128) corresponding to the received command data, and a program code group (0130). To execute (0128), the program execution unit (134) branches to an appropriate program code with reference to the jump table (0130). As shown in FIG. 2, the decrypted program correction information (0126) is data including history information (136), a correction program code (140), and a correction jump table (138). It is configured. The program correction information storage area (0122) for storing the correction program code (140) is stored in the EEPROM (0102) together with the history information (0106) and the jump table (0130).
[0013]
Hereinafter, a first embodiment of the present invention will be described with reference to the drawings.
[0014]
FIG. 2 is a specific example of the program modification information (0126). The configuration of the program modification information (0126) is as described above. Further, the program modification information (0126) is encrypted to prevent information leakage to the user and the third party. Further, it is preferable that authentication data (0124) for authentication is added and the data is authenticated.
[0015]
FIG. 3 is a control flow in the first embodiment. The encrypted program modification information (0112) is transmitted from the IC card interface unit (132) of the external device (0120) to the data transmission / reception unit (0118) of the IC card (0100). There are no particular restrictions on the timing of receiving the encrypted program modification information (0112), but power is supplied to the IC card (0100) when communication between the external device (0120) and the IC card (0100) is established. After that, it is desirable that the external device (0120) receives the first response from the IC card (0100). After the communication is established, when the IC card (0100) receives the command data, the program execution unit (134) calls the program correction information storage control unit (0114), and encrypts the program correction information (0112). It is decrypted by the encryption control unit (0116). The program modification information storage controller (0114) compares the modification history information (136) with the history information (0106) stored in the IC card (0100), and compares the modification history information (136) with the modification history information (136). If it is newer, the program code for correction (140) is stored in the program correction information storage area (0122). Also, the history information (0106) and the jump table (0130) are updated to the history information for correction (136) and the jump table for correction (138), respectively. At this time, a response code indicating that the correction program code (140) is stored is sent to the external device (0120). If the history information for correction (136) is older or the same, the program code for correction (140) is not stored in the program correction information storage area (0122), and the history information (0106) and The jump table (0130) is also not updated. At this time, a response code indicating that the program code for correction (140) is not stored is returned to the external device (0120).
[0016]
FIG. 4 is a flowchart illustrating the program execution unit (134) according to the first embodiment. First, it is determined whether or not the received command data is command data for receiving the encrypted program modification information (0112) (0600). When the encrypted program modification information (0112) is received, the process branches to the program modification information storage control unit (0114) (0602). In the case of other command data, the address of the program code to be executed is obtained from the jump table (0130) based on the command data (0300), and the process branches to the obtained address (0302).
[0017]
FIG. 5 is a flowchart of the program modification information storage control unit (0114) in the first embodiment. First, the program modification information (0112) encrypted by the encryption control unit (0116) is decrypted (0700). When the decryption of the data is completed, authentication based on the authentication data (0124) is performed (0702). If the authentication data (0124) is correct, the history information for correction (136) is compared with the history information (0106) stored in the IC card (0100) (0704). If the correction history information (136) is newer than the already stored history information (0106), the correction program code (140) is stored in the program correction information storage area (0122) (0706), and jump is performed. The code (0130) and the history information (0106) are updated (0708, 0710). After updating each data, a response code indicating that the decrypted program modification information (0126) is stored in the program modification information storage area (0122) is transmitted (0712). If the history information for correction (136) is older than or the same as the history information (0106) already stored, the decrypted program correction information (0126) is not stored, but is decrypted. A response code indicating that the program correction information (0126) is unnecessary is transmitted (0714). If the authentication data (0124) does not match, a response code indicating that the authentication data (0124) is invalid is returned (0716).
[0018]
In the case of the present embodiment, the program correction information storage control unit (0114) is not a target of the program correction method according to the present invention. This is to prevent the program correction information storage control unit (0114) from being rewritten by malicious program code.
[0019]
Hereinafter, Embodiment 2 which is another embodiment of Embodiment 1 will be described in detail with reference to the drawings.
[0020]
FIG. 6 is a flowchart of the program modification information storage control unit (0114) in the second embodiment. The difference from FIG. 5 is that an authentication mismatch counter that counts the number of times the authentication data (0124) has mismatched and an upper limit thereof are provided. In other words, by setting the upper limit, defense against repeated attacks from attackers is realized.
[0021]
First, the authentication mismatch counter is compared with its upper limit (804). If the authentication mismatch counter reaches the upper limit, the encrypted program modification information (0112) is not decrypted, and a response code indicating that the authentication mismatch counter has reached the upper limit is returned (0806). If the upper limit has not been reached, the data is decrypted (0700) and the authentication data (0124) is confirmed (0702) as in FIG. If the authentication data (0124) is correct, the subsequent processing is as described with reference to FIG. If the authentication data (0124) is not correct, the authentication mismatch counter is updated (0802), and a response code indicating that the authentication data (0124) does not match is returned (0716).
[0022]
Hereinafter, a third embodiment which is still another embodiment will be described in detail.
[0023]
FIG. 7 is a configuration diagram of the present invention. The difference from FIG. 1 is that a program verification unit (0900) for verifying the corrected program code (0108) stored in the program correction information storage area (0122) and a card execution control unit for controlling the execution of the card (0902) is that encrypted verification information (0904) is added to the IC card (0100) and as command data received from the external device (0120). Note that the IC card (0100) may be used offline, but the user of the IC card (0100) ultimately needs to settle online, so the verification information (0904) is transmitted to the IC card (0100). The external device (0120) that transmits the verification information (0904) can be trusted by the host computer provided by the issuer of the IC card (0100) or connected to the host computer online. It is assumed that this is the state.
[0024]
FIG. 8 is an example of the verification information (0904) in the third embodiment. The verification information (0904) is composed of correction history information (136), authentication data (0124), and verification data (1000). The verification data (1000) is data uniquely obtained by an arbitrary algorithm from the correction jump table (138) and the correction program code (140). Examples of the verification data (1000) include a hash code.
[0025]
FIG. 9 is a flowchart illustrating the program execution unit (134) according to the third embodiment. The difference from FIG. 4 is that it is determined whether the card can be executed before the command is distributed (1200). This determination is made by providing an indicator that means that the card cannot be executed, and determining whether the indicator is set to an arbitrary value. If it cannot be executed, processing for stopping the execution of the card (1206) and processing for determining whether or not the command data is for receiving the verification information (0904) (1202), and branching to the program verification unit (0900) ( 1204) is added. Since it is necessary to prevent the program verification unit (0900) from being rewritten by malicious program code, the program verification unit (0900) is not subjected to the program correction method of the present invention.
[0026]
FIG. 10 is a flowchart of the program verification unit (0900) according to the third embodiment. The program verification unit (0900) requests control to the encryption control unit (0116) and decrypts the verification information (0904) (1100). After the decryption is completed, it is determined whether or not the authentication data (0124) is correct (1102). If the authentication data (0124) does not match, a response code indicating the mismatch is returned (1116). Further, as in the second embodiment, if update processing and determination processing of the authentication mismatch counter are provided, it becomes a defense means against an attacker. If the authentication data (0124) is correct, the history information (0106) already stored is compared with the verification history information (906) (1104). When the history information for verification (906) and the stored history information (0106) match, the jump table (0130) stored in the IC card (0100) and the program correction information storage area (0122) are stored. Using the stored corrected program code (0108) as an input, data for verification is obtained by an algorithm for obtaining verification data (1000) (1106), and the obtained value is compared with the verification data (1000). (1108). If the verification data (1000) matches the verification data obtained in the process (1106), the corrected program code (0108) is proved to be correct, and a response code indicating that the verification result is correct Is transmitted (1110). If the verification data (1000) does not match the verification data obtained in the process (1106), the flow branches to the card execution control unit (0902) (1112). The card execution control unit (0902) sets an indicator indicating that the card described with reference to FIG. 9 cannot be executed, and stops the card. The method of stopping the card depends on the specifications of the IC card (0100), and is therefore omitted.
[0027]
Note that the card execution control unit (0902) may immediately stop the IC card when the verification information (0904) does not match, but returns a response code indicating that the verification information (0904) does not match. By doing so, the external device (0120) that has received the response code can recognize that an incorrect program code is stored, and therefore, the external device (0120) stores the incorrect program code in the card management source. Can be notified.
[0028]
Hereinafter, a fourth embodiment which is still another embodiment will be described in detail.
[0029]
FIG. 11 is a flowchart illustrating the program verification unit (0900) according to the fourth embodiment. The difference from FIG. 10 is the handling when the history information (136) and the history information (0106) in the IC card (0100) do not match. In the case of the third embodiment, the verification information (0904) must be transmitted from the external device (0120) any number of times until the verification information (0904) that matches the verification history information (906) is received. However, according to the present embodiment, the history information (0106) in the IC card (0100) is encrypted (1500) and returned as history information response data (1600). ) Is returned to the external device (0120) (1502), so that the external device (0120) can recognize appropriate verification information (0904), and it is necessary to transmit and receive the verification information (0904) many times. Disappears. Further, in the present embodiment, data for stopping the IC card (0100) is provided on the assumption that the IC card (0100) is falsified with an invalid program code. As stop data of the IC card (0100), a unique value not used as correction history information (136) is assigned in advance. Then, it is determined whether the data is stop data for the IC card (0100) (1504). If the data is stop data, the control is passed to the card execution control unit (0902) to stop the IC card (0100). If the data is not stop data, the program is verified by obtaining verification data as in FIG.
[0030]
FIG. 12 is an example of the history information response data (1600) in the fourth embodiment. The history information response data (1600) includes the history information (0106) and the authentication data (0124), and the authentication data (0124) can identify that the data was created with a valid IC card (0100). .
[0031]
As described above, since highly confidential information such as the corrected program code can be referred to only in the card, there is an effect that the program code can be corrected safely without collecting the IC card.
[0032]
In addition, since the IC card itself can determine whether it is necessary correction information, there is an effect of preventing operational failure such as returning the IC card program to an old program code.
[0033]
In addition, since it is not necessary to manage the history of correction of each IC card, there is an effect of reducing the space required for managing history information of the IC card and the cost required for managing the information.
[0034]
Further, by verifying the validity of the program code, it is possible to detect tampering of the card due to unauthorized rewriting of the program code, and further to prevent illegal use of the card.
[0035]
【The invention's effect】
According to the present invention, since highly confidential information such as the corrected program code can be referred to only in the card, the program code can be corrected safely without collecting the IC card.
[Brief description of the drawings]
FIG. 1 is a configuration diagram of the present invention.
FIG. 2 is a specific example of program modification information.
FIG. 3 is a control flow according to the first embodiment.
FIG. 4 is a flowchart illustrating a program execution unit according to the first embodiment.
FIG. 5 is a flowchart illustrating a program modification information storage control unit according to the first embodiment.
FIG. 6 is a flowchart illustrating a program modification information storage control unit according to the second embodiment.
7 is a block diagram of the present invention in claim 2. FIG. 8 is a specific example of verification information. FIG. 9 is a flowchart showing a program execution unit in the third embodiment. FIG. 10 is a flowchart of a program verification unit in the third embodiment. FIG. 11 is a flowchart of a program verification unit according to the fourth embodiment. FIG. 12 is a specific example of history information response data.
0100 IC card 0102 EEPROM
0104 @ ROM
0106 {history information 0108} modified program code 0112 {encrypted program modification information 0114} program modification information storage control unit 0116 {encryption control unit 0118} data transmission / reception unit 0120 {external device 0122} program modification information storage area 0124 ‥ Authentication data 0126 ‥ Decrypted program modification information 0128 ‥ Program code group 0130 ‥ Jump table 132 ‥ IC card interface unit 134 ‥ Program execution unit 136 ‥ Correction history information 138 ‥ Correct jump table 140 ‥ Correction Program code 0900 ‥ program verification unit 0902 ‥ card execution control unit 0904 ‥ verification information 906 ‥ verification history information 1000 ‥ verification data 1600 ‥ history information response data

Claims (5)

A non-rewritable nonvolatile memory, a rewritable nonvolatile memory, a CPU for accessing the non-rewritable nonvolatile memory and the rewritable nonvolatile memory, and a command data provided from an external device. A program execution unit that branches to a program code, an encryption control unit that encrypts and decrypts encrypted data, a data transmission and reception unit that exchanges data with the external device, and a program that is received from the external device. In a method for correcting a program in an IC card comprising a program correction information storage area for storing a program code included in the correction information, and a program correction information storage control unit for storing the program correction information,
Receiving encrypted program modification information composed of data including a program code and history information provided from the external device, and determining whether to store the program code based on the history information. Characteristic program modification method. Verification information for verifying the program modification information, and the verification information verifies the validity of the program code stored in the program modification information storage area, and when incorrect program modification information is stored, 2. The method according to claim 1, wherein the use of the IC card is disabled. The method according to claim 1, wherein the history is a correction history of the program. A non-rewritable nonvolatile memory, a rewritable nonvolatile memory, a CPU for accessing the non-rewritable nonvolatile memory and the rewritable nonvolatile memory, and a command data provided from an external device. A program execution unit that branches to a program code, an encryption control unit that encrypts and decrypts encrypted data, a data transmission and reception unit that exchanges data with the external device, and a program that is received from the external device. An IC card comprising: a program correction information storage area for storing a program code included in the correction information; and a program correction information storage control unit for storing the program correction information.
Means for receiving encrypted program modification information composed of data including program code and history information provided from the external device, and determining whether to store the program code based on the history information And an IC card. Verification information for verifying the program correction information; means for verifying the validity of the program code stored in the program correction information storage area by the verification information; and 5. The IC card according to claim 4, further comprising means for making the IC card unusable.

Images