The present invention relates to a safe for electronic money and an electronic money system for managing electronic money indicating a value of currency with electronic information monolithically, and more specifically to a safe for electronic money used in business transactions using an IC card and an electronic money system using the safe for electronic money.
In recent years, hot social attentions are concentrating on a so-called electronic money system. In this system electronic digital data is used as money for a means of clearance in place of the traditional bills or coins because of the safety and convenience in clearance for business transaction. Therefore, financial institutions such as banks are required to install a safe for electronic money (hereafter abbreviated as safe) for batch management of electronic money, and safes with high reliability are in demand.
When a customer loads electronic money in an IC card using a load terminal of a bank, it is necessary to directly exchange electronic money between the customer""s IC card and a safe in the bank. For this purpose, a storage section with data for electronic money stored therein is provided in the safe. This makes it possible to directly exchange electronic money upon a load request from a customer between the customer""s IC card and the storage section of the safe.
Strong security is required for a safe, and a technology of multiplexing is known for transferring electronic money to enable verification of validity of the transaction.
Description is made for a conventional type of safe. FIG. 24 shows functional configuration of a conventional type of safe. This safe has, as shown in FIG. 24, mainly three command control sections 201, 202 and 203 each connected to a communicating section 100. The command control sections 201, 202 and 203 are connected to the communicating section 100 via bus interfaces 301, 302 and 303 respectively. The communicating section 100 has a comparator 101 which compares the results of execution by the command control sections 201 to 203 to each other. The communicating section 100 is connected to an upper device, which is not shown herein, via a bus interface 400, and receives a command for processing via the bus interface 400 from the upper device.
Next, operations of the safe having the configuration as described above is explained. To improve the reliability, the safe in FIG. 24 has, for instance, three command control sections 201, 202 and 203. The communicating section 100 instructs the command control sections 201 to 203 to execute the same processing according to an instruction from the upper device, and receives a result from each of the command control sections 201 to 203. The communicating section 100 compares the results sent from the command control sections 201 to 203 using the comparator 101, and executes processing for multiplexing such as confirmation of normality in the processing. Also each of the command control sections 201 to 203 stores a value for the electronic money therein, and manages the value by processing commands from the communicating section 100.
However, in the safe based on the conventional technology as described above, identical processing is executed in each of the command control sections 201 to 203 under controls by the communicating sections 100, so that an identical value is stored as electronic money in each of the command control sections 201 to 203 and physically a value three times larger than the actual value is stored in the system.
Therefore, illegal modification of the system using the multiplexing technology allows, for instance, the case as shown in FIG. 25. FIG. 25A shows a case where an interface between the communicating section 100 and command control section 201 has been modified. In the case shown in FIG. 25A, only the command control section 201 is connected via the bus interface 304 to the communicating section 100 and the other two terminals of the communicating section 100 are connected to the bus interface 304.
FIG. 25B shows a case where an interface between the communicating section 100 and command control section 202 has been modified. In the case shown in FIG. 25B, only the command control section 202 is connected via the bus interface 305 to the communicating section 100 and the other two terminals of the communicating section 100 are connected to the bus interface 305. Although not shown herein, a case where an interface between the communicating section and command control section 203 is modified is conceivable.
A safe modified in a manner described above can be obtained through reverse engineering. When the safe is modified as above, only one command control section is connected to the communicating section 100. In such a case, when a value is drawn through the connection as shown in FIG. 25A, namely through the connection between the communicating section 100 and command control section 201, then a value is dawn through the connection shown in FIG. 25B, namely through the connection between the communicating section 100 and command control section 202, and further a value is dawn through the connected between the communicating section 100 and command control section 203 although not shown, a value three times larger than the original value can illegally be drawn.
As shown by the example of multiplexing described above, there has been the problem that an actual value is easily multiplied and the multiplexed drawing is possible.
To solve the problem in the conventional technology, it is an object of the present invention to provide a safe for electronic money and an electronic money system capable of preventing multiplex drawing of a value by way of controls for multiplexing.
With the invention, a command from an upper device is transferred from a communicating section to a command control section and a result of the command processing is transferred from the command control section to the communicating section through a first interface, and a command for diagnosis is transferred from the communicating section to the command control section and a result of the diagnosis is transferred from the command control section to the communicating section through a second interface. Therefore, even if a path for command processing is illegally operated, the illegal operation can easily be detected from the path for diagnosis, whereby it is possible to prevent multiplex drawing of a value by multiplexing control.
With the invention, paths for command processing and diagnosis are physically independent from each other, so that an illegal operation can easily be detected for each path, whereby it is possible to prevent multiplex drawing of a value by multiplexing control.
With the invention, a command from an upper device is transferred from a communicating section to a command control section and a result of the command processing is transferred from the command control section to the communicating section and a command for diagnosis is transferred from the communicating section to the command control section and a result of the diagnosis is transferred from the command control section to the communicating section through a single interface. Therefore, even if a path for command processing illegally operated, the illegal operation can easily be detected from the path for diagnosis during the data processing, whereby it is possible to prevent multiplex drawing of a value by multiplexing control.
With the invention, command processing to a plurality of command control sections is executed at the same timing, so that it is possible to prevent an illegal operation performed at different timing.
With the invention, the communicating section controls the processing for diagnosis to a plurality of command control sections at the same timing, so that it is possible to prevent an illegal operation performed at different timing.
With the invention, the communicating section controls command processing to a plurality of command control sections at different timing, so that it is possible to prevent an illegal operation by adjusting the timing.
With the invention, the communicating section controls processing for diagnosis to a plurality of command control sections at different timing, so that it is possible to prevent an illegal operation by adjusting the timing.
With the invention, a plurality of command control sections are connected to each bus interface, so that it is possible to prevent an illegal operation for each bus.
With the invention, the communicating section sets the timing for data transfer in the command control sections connected to each bus interface arbitrarily. Therefore, the capability for preventing an illegal operation can be enhanced as compared to a case where transfer is made according to a fixed sequence.
With the invention, the communicating section executes coding and decoding in communication with the command control section using a specific cryptographic key allocated to each command control section and the command control section executes coding and decoding in communication with the communicating section using a specific cryptographic key allocated to the command control section. Therefore, security for transferred contents can be maintained for each command control section.
With the invention, a cryptographic key allocated to each command control section is updated with a random number generator. Because the cryptographic key is not fixed the capability of preventing an illegal operation can be enhanced.
With the invention, before an ciphered command is transferred to the command control section, a cryptographic key used for encoding the command is ciphered with a specified cryptographic key and the ciphered command is notified, while, in the command control section, the cryptographic key notified from the communicating section is deciphered with a specified cryptographic key and an ciphered command transferred from the communicating section is deciphered by using the deciphered cryptographic key, so that it is possible to prevent an illegal operation each time a command is transferred.
With the invention, a plurality of paths are provided between the upper device and the safe for electronic money, and when a path in which a trouble is generated is detected, communicating is executed by switching to a path which is normal, so that a fail-safe function for continuing communications can be realized.
Other objects and features of this invention will become apparent from the following description with reference to the accompanying drawings.