1. Field of the Invention
The present invention relates to file management methods, and memory card and terminal apparatus, whereby, in particular, inconsistencies between files actually recorded in memory card and the file management information thereof can be prevented.
2. Description of the Related Art
In recent years IC cards have come in use for commuter passes, telephone cards, cash cards, and such. Likewise, memory cards have been in use as a memory medium for personal computers (PC), digital cameras, music players, and such. Both cards are thus in use for various purposes.
Memory cards are used with the purpose of supplementing built-in memory areas in digital cameras and music players and such, and for portability. For instance, by storing the electronic data of the pictures taken with a digital camera into an installed memory card and by installing this memory card in a PC, these pictures can be viewed on the PC.
On the other hand, as shown in FIG. 1, IC card 20, which incorporates a memory and a CPU, comprises memory section 22 that consists essentially of an information-writable/readable IC memory and in-card processing system 21 that consists essentially of a CPU that is connected to memory section 22 by way of interface (I/F) 23 and that controls data writing/reading with respect to memory section 22. In-card processing system 21 assumes the file management of memory section 22. Furthermore, when writing data into or reading data from IC card 20, terminal 10 sends a writing or reading request to in-card processing system 21 via communication sections 11 and 24 and, by way in-card processing system 21, writes data into or reads data from memory section 22.
Then, in-card processing system 21, upon verifying that this terminal 10 is a terminal legitimately qualified for processing the data stored in memory section 22, responds to a writing request or a reading request from terminal 10. So if the card is a cash card, access to the data stored in the card will be denied with the exception of bank terminals, so that the security of the data stored in the card is preserved.
While IC cards that maintain the security of stored data by verifying the terminals are in use, lately, in order for users not to carry several cards, the development of multi-functional memory cards that incorporate IC-card functions and that by one can be used for various purposes have been in progress.
This card (hereinafter called “secure card”) comprises, as shown in FIG. 2, memory section 32 and in-card processing system 31 that is connected to memory section 32 by way of interface (I/F) 33 and that controls data writing/reading with respect to memory section 32. However, it is also possible that terminal 10 holds direct access to memory section 32 by way of interface (I/F) 34.
When terminal 10 directly accesses memory section 32 of secure card 30, this unlike aforementioned IC card 20 does not require verification, and so any terminal 10 is able to read data out. Although in accordance with the developing versatility of the cards, this makes it difficult to preserve data security, and so there is a need for a scheme whereby direct access to the data that requires confidentiality will be disallowed.
For such scheme, a system is under consideration in which in-card processing system 31 manages the files of highly confidential data without disclosing the file management information to terminal 10 at all, and whereby terminal 10 verified by in-card processing system 31 alone performs data writing/reading with respect to these files via in-card processing system 31, while the file management information of the files regarding the data without high confidentiality is disclosed to terminal 10 and terminal 10 directly performs writing/reading with respect to these files.
For a secure card that employs such system, the range of use would be broad. That is, it is applicable to memory cards for PCs, digital cameras, audio/video players and such, electronic bankbooks and cash cards for use with bank terminals, credit cards and debit cards for use with shop terminals, and to the cards for electronic money payment, for receiving and keeping electronic receipts, and for recording use history. Moreover, it is possible to accumulate music distribution contents and pay the fees by the in-card credit/debit and such payment function.
Of the above range of use, however, taking all the trouble to verify a user, for instance when using a secure card as a memory card for a PC or for a digital camera, only adds to inconvenience. So, upon such use, direct access by terminal 10 to a card's memory section 32 is tolerated.
Nevertheless, if an electronic receipt issued at a certain shop can be freely viewed at other shops, or if the content of an electronic bankbook can be read through other shop terminals, this is a problem from the viewpoint of privacy protection. For this reason, in-card processing system 31 of secure card 30 performs file management in such a way that electronic receipt information can be viewed only by the holder or the issuing shop and an electronic bankbook can be accessed only through bank terminals.
Regarding the example of music distribution, a decrypting key for decrypting the encrypted contents is stored in memory section 32 via in-card processing system 31 in order not to be taken out illegitimately, and meanwhile the actual body of the encrypted contents, meaningless without a decrypting key, is kept by means of direct access to memory section 32.
FIG. 3 shows in a frame format the data writing that terminal 10 performs through direct access to memory 32 of secure card 30, and the data writing that in-card processing system 31 of secure card 30 performs. Incidentally, although for file management systems the FAT file system that uses the FAT (File Allocation Table), NTFS (Windows (registered trademark) NT File System), UFS (Unix (registered trademark) File System) and such are known, the present document will describe cases with FAT.
In FIG. 3, secure card 30 comprises memory section 32, in which a directory entry and FAT 33 for file management are recorded as file management information, and in-card processing system 31. Terminal 10 comprises terminal processing system 11 that controls direct access to memory section 32, and terminal cache memory 12 that memorizes data on a temporary basis.
When secure card 30 is installed in terminal 10 and access to secure card 30 from terminal 10 starts, first, the directory entry and FAT 33 recorded in memory section are read out to terminal cache memory 12 (41). The read-out directory entry and FAT are termed FAT 13 in FIG. 3. Terminal processing system 11, when writing data (DAT 2) into memory section 32 of secure card 30, adds the file management information of DAT 2 to FAT 13 (42) and at the same time writes DAT 2 into cache memory 12 (43). Cache memory 12, when the right moment comes, writes FAT 13 over FAT 33 (44) and at the same time stores DAT 2 into memory section 32 in accordance with the file management information recorded in FAT 13 (45).
On the other hand, in-card processing system 31 of secure card 30, when writing data (DAT 1) into memory section 32 of secure card 30, adds the file management information of DAT 1 to the directory entry and FAT 34 that are for the file management of its own (46) and at the same time stores DAT 1 into memory section 32 in accordance with the file management information recorded in FAT 34 (47).
As with the aforementioned example of music distribution, there is a possibility that storing a decrypting key (corresponding to DAT 1) into memory section 32 by in-card processing system 31, and storing the actual body of encrypted contents (corresponding to DAT 2) into memory section 32 by terminal processing system 11 are performed virtually at the same time.
As shown in FIG. 4, in-card processing system 31 is capable also of storing a directory entry and an FAT used for the file management of its own into memory section 32 as an EXT-directory and EXT-FAT 35, which are extension file management information.
In the case of this secure card, however, the file management information (that is, FAT 33 and FAT 13) of memory section 32 that terminal processing system 11 is able to learn does not contain the file management information (that is, FAT 34) managed by in-card processing system 31. Consequently, as shown for instance in FIG. 5, there is a threat that terminal processing system 11 designates the area where DAT 1 is stored by in-card processing system 31 for an storage area for DAT 2 by means of FAT 13.
Even when in-card processing system 31 adds and updates the information relating to the DAT 1-written area to FAT 33, terminal 10 refers to FAT 13 that is read out to terminal cache memory 12 and so is unable to learn the writing area of DAT 1. Moreover, by the overwriting of FAT 33 with FAT 13, the content of FAT 33 updated by in-card processing system 31 will be invalid.
In such case, if DAT 2 is written according to the file management information of FAT 13 updated by terminal processing system 11, this will result to delete DAT 1.
Such situation results when file management information(FAT 13) managed by a terminal is not in consistency (i.e., inconsistency) with the state of the files actually recorded in memory section 32.
In order to prevent such file management information inconsistency, in respect to the SAN (Storage Area Network) whereby several hosts share a memory device, a method has been employed whereby a server manages file management information all by itself. According to this method, each client that stores information in a shared memory device tells a file name and size and such to the server and requests a reservation of a data area and, upon being notified of a reserve area from the server, stores data in the designated area and thereafter tells the file composition information to the server.
However, when this method is applied to a secure card, given that a secure card is a removable medium, the apparatus that is equivalent to the SAN server differs depending on the circumstances, and consequently, the file management information managed by in-card processing system 31 will be known to an unlimited number of terminals, which makes it difficult to preserve the security of data.