1. Field of the Invention
The present invention relates to a data storage device and a data storage method, and relates to a data storage device and a data storage method which can manage resources of IC cards and perform access control to IC cards with high flexibility and security in a case where a plurality of managers supply their services by using an IC (Integrated Circuit) card.
2. Description of the Related Art
For example, an IC card (smart card) which is expected to be used in an electronic money system, a security system, etc. has been developed.
The IC card has a CPU (Central Processing Unit) for performing various kinds of processing and a memory for storing data necessary for the processing, and data transmission/reception to/from the IC card is performed while it is electrically connected to a predetermined reader/writer (R/W) or under a non-contact state by using electromagnetic wave. An IC card which performs data transmission/reception with R/W under non-contact state by using electromagnetic wave is generally supplied with necessary power through electromagnetic wave.
For example, in ISO (International Organization for Standardization) 7816, the standard of contact type IC cards is defined. According to this standard, the data management can be performed on the basis of, for example, EF (Elementary File) (corresponding to a so-called file) for storing data and DF for storing EF and DF (Dedicated File) (corresponding to a so-called directory (folder)). Accordingly, the data management based on the layer structure is possible by setting some DF as a parent layer and providing DF of a child layer thereof.
When IC cards are used for the service supply by plural managers, there may be considered a method of allocating DF as a layer to each of the plural managers and storing EF as data to be supplied for the service supply of each manager in the DF.
However, it is difficult in ISO7816, etc. to restrict the usable capacity and the resources of the IC card such as identification codes for identifying DF and EF (corresponding to a file name and a directory name) for every DF.
Therefore, it is difficult to prevent an identification code from being duplicated between different managers, and also it is difficult to restrict a manager from using a memory contained in an IC card by a capacity exceeding a predetermined capacity which is determined through a contract or the like.
Further, in a case where IC cards are used in an electronic money system or security system, securities such as secrecy of data, prevention of forgery of IC cards, etc. are important, and for example, ISO7816, an access to DF and EF belonging to DF is restricted by locking DF. That is, in ISO7816, in order to access some DF, it is necessary to know all the DF keys of upper layers (parent layers) on the bus extending to the DF concerned.
Therefore, for example, when some manager serving as a parent manager shares a part of resources allocated thereto to another manager serving as a child manager and DF managed by the child manager is formed in DF managed by the parent manager, in order for the child manager to access the DF thereof, the child manager is required to know a key to access the DF of the parent layer, that is, the DF of the parent manager, and there occurs a problem in security.
The present invention has been implemented in view of such a situation, and has an object to enable a resource management to store data and access control having high flexibility and security to data.
According to an aspect of the present invention, a data storage device is characterized by comprising: storage means having an area defining area for storing the range of a storage area identifying code which can be allocated to a storage area to be managed and is used to identify the storage area and the empty capacity of the storage area to be managed; and management means for managing the storage means on the basis of the storage content of the area defining area. The storage means has the area defining area for storing the range of the storage area identification code which can be allocated to the storage area to be managed and is used to identify the storage area, and the empty capacity of the storage area to be managed, and the management means manages the storage means on the basis of the storage content of the area defining area.
According to another aspect of the present invention, a data storage method is characterized by comprising a management step of managing storage means on the basis of the storage content of an area defining area of the storage means having an area defining area for storing the range of a storage area identifying code which can be allocated to a storage area to be managed and is used to identify the storage area and the empty capacity of the storage area to be managed. The storage means is managed on the basis of the storage content of the area defining area of the storage means having the area defining area for storing the range of the storage area identifying code which can be allocated to the storage area to be managed and is used to identify the storage area and the empty capacity of the storage area to be managed.
According to a further aspect of the present invention, a data storage device is characterized by comprising: management means for managing the storage area of data storage means while setting the storage area in a layer structure; layer key storage means for storing a layer key for each layer of the storage area of the data storage means; data storage area key storage means for storing a data storage area key to a storage area in which data are stored; generation means for generating one or more certification key used for the certification to access the storage area by using two or more layer keys or data storage area keys; and certifying means for performing certification on the basis of the certification key. The management means manages the storage area of the data storage means while setting the storage area in the layer structure, and the layer key storage means stores the layer key for each layer key of the storage area of the data storage means. The data storage area key storage means stores the data storage area key for the storage area in which the data are stored, and the generating means generates one or more certification keys used for the certification to access the storage area by using two or more layer keys or data storage keys. The certifying means performs the certification on the basis of the certification key.
According to a still further aspect of the present invention, a data storage method is characterized by comprising a generation step of generating one or more certification keys used for the certification to access the storage area by using two or more layer keys or data storage area keys; and a certification step of performing the certification on the basis of the certification key. The one or more certification keys used for the certification to access the storage area are generated by two or more layer keys or data storage area keys, and the certification is carried out on the basis of the certification key.