The present invention relates to information processing apparatuses and methods, recording media, and programs, and more particularly, to an information processing apparatus and method, a recording medium, and a program in which the tampering and leakage of data and information can be prevented.
Due to the development of information processing technologies, a large amount of information is sent and received via communication networks. For example, IC cards (smart cards) used in e-cash systems and security systems have built-in central processing units (CPUs) that perform various processing jobs and memory devices that store data required for processing. Data can be sent and received while an IC card is in electrical contact with a predetermined reader/writer.
In the lifecycle of an IC card, a new folder for storing data required for providing services is added, or a key required for accessing data is changed, that is, a so-called “card issue operation” is performed.
FIG. 1 is a flowchart illustrating the lifecycle of a known IC card.
An IC card is manufactured by a predetermined card manufacturer and is then shipped to an IC-card issuer as a raw IC card without data required for providing services or a key required for accessing data (hereinafter such a card state is referred to as the “manufacturer shipment state”).
Then, the IC-card issuer performs processing, such as generating a main folder (MF) for storing data therein and recording an authentication key used for mutual authentication in the storage area of the IC card (hereinafter such processing is referred to as the “zeroth-order issue operation”). Then, the IC card is shipped to a service provider providing predetermined services to users by using the IC card as the IC card with the MF and the mutual authentication key (hereinafter such a card state is referred to as the “zeroth-order card-issued state”).
Subsequently, the service provider performs processing, such as reserving a storage area (dedicated file (DF)) for providing services within the MF and writing a key required for accessing the reserved DF (hereinafter such processing is referred to as the “primary issue operation”).
Then, the IC card subjected to the primary issue operation is distributed to a facility providing services to a user, for example, to an office of the service provider, as the IC card with the DF and the key for accessing the DF in the main folder (hereinafter such a card state is referred to as “primary card-issued state”).
Then, in the office, processing, such as writing data, for example, personal information, required for the user to receive the services and a key required for accessing the data in the DF (hereinafter such processing is referred to as the “secondary issue operation”), is performed, and the IC card is then distributed to the user.
The user receives the services provided by the service provider by using the IC card in which the data, such as personal information, and the key for accessing the data are written (hereinafter such a card state is referred to as the “secondary card-issued state”).
When the IC card is disused, it is recollected by the service provider. The service provider erases (deletes) all data stored in the recollected IC card and delivers the IC card without data (disposal state) to a disposal agent, and the disposal agent disposes of the IC card.
In this manner, in each state of the lifecycle of the IC card, the IC-card issue operation of the IC card is performed.
In some known IC cards, for example, the IC card disclosed in Japanese Unexamined Patent Application Publication No. 2000-36014, in the IC-card issue operation, encrypted card issue information sent from an IC-card issue machine is received and decrypted. That is, in this IC card, the IC-card issue operation is performed by decrypting the received card issue information and recording the decrypted card issue information.
In the above-described technology, however, although the type of processing that can be performed by the IC card is different in each state of the lifecycle of the IC card, the IC card unconditionally receives all commands including commands that should not be processed and executes all the received commands.
Additionally, the same authentication key is used for conducting mutual authentication with a communicating party in each state of the lifecycle of the IC card. Thus, it is possible that a card issuer or a service provider owning the authentication key could transmit a command that should not be processed to the IC card and allow the IC card to execute that command.
When making the IC card disposable, data recorded on the IC card can be erased or the authentication key used for mutual authentication can be changed. However, since the IC card can receive all commands including commands that should not be processed and executes all the received commands, the erased data may be disadvantageously reconstructed.
It is thus very difficult to prevent the tampering or leakage of data or information.