1. Field of the Invention
The present invention relates to a method of managing a plurality of files in an IC card incorporating an IC chip having a nonvolatile memory of the files and a control device such as a CPU for controlling the nonvolatile memory.
2. Description of the Related Art
An IC card incorporating an IC chip having a nonvolatile data memory and a control unit, such as a CPU, for controlling the data memory has recently been noteworthy as a portable data storage medium. In this IC card, the data memory is divided into a plurality of files each storing data necessary for operating an application, and an identification name of the application is input from an external device to render only the file corresponding thereto usable. Since a plurality of items of application data are assigned to their corresponding files and stored in the single IC card, the IC card can thus be used widely. The files include a plurality of data files for storing transaction files and the like and a key file for storing key data.
Furthermore, in the recent IC card, information called an access condition is added to each file, and it is determined whether command access can be gained or not under condition that a directed key of the card is checked by the information.
During the reception of an IC card from its manufacturer to its user, various operations such as issuance of the card and storage of system basic information into the card, are performed, and the concerned parties vary from operation to operation. For example, one concerned with the issuance of the card is a card issuer (superordinate), while one concerned with the storage of system basic information is an application provider (subordinate). When authorization for access to the card is shifted from the card issuer to the application provider, a provisional key called "transport key" is generally set to the IC card and checked by the application provider, with the result that the application provider can gain access to the IC card afterward.
If the access condition to the file is set such that only the application provider can manage the data of the file, the card issuer cannot permanently set the transport key since there is no application provider key that the issuer must satisfy in order to set the transport key. To avoid this, there is a method for setting one of the application provider key and card issuer key as an access condition to the file. More specifically, the access condition has only to be set such that it is satisfied by collating the card issuer key when the card issuer sets a transport key of the application provider in the file and that it is satisfied by collating the application provider key when the application provider manages the data of the file. However, the access condition set in the file can be accessed by both the card issuer and application provider and, in this case, the authorization to manage data of the file is not transferred from the card issuer (superordinate) to the application provider (subordinate).
Since the transport key is known to the card issuer, the application provider generally checks and rewrites the transport key in order to prevent any person other than the application provider from getting to know the transport key.
The above-described prior art, however, complicates the problems caused when data of the IC card is altered. The period of validity for utilizing application data of the IC card is generally changed by checking the key of the application provider. If, therefore, the application data is altered, the application provider is called to account therefor.
However, when the application provider uses the unchanged transport key, the card issuer has to perform the same operation as that of the application provider. In other words, though the alteration of data is due to the application provider's carelessness, the card issuer is also suspected of the alternation of data.
It is thus impossible to completely execute "transfer of file management authorization to the IC card" which is the original object in utilizing the transport key.
To compulsorily rewrite the transport key and check it in the IC card is not realistic for application pursuing only the convenience of the IC card.