1. Field of the Invention
The present invention relates to an information processing apparatus and method, a setting apparatus and method, and a program. More particularly, the present invention relates to an information processing apparatus and method, a setting apparatus and method, and a program capable of specifying a module for calculating key information corresponding to a service from the outside.
2. Description of the Related Art
In recent years, various services using an IC card, in which an IC chip is embedded, such as FeliCa (registered trademark), etc., have become widespread. Such services include, for example an electronic money service which enables a user to pay for goods at purchase time using an IC card, a service which enables a user to use an IC card as a ticket for transportation facilities, such as a train, etc., a service which enables a user to take care of reward points issued by stores, and the like.
These services are implemented, for example by the configuration as shown in FIG. 1.
In the example shown in FIG. 1, an application server 2 and a client terminal 4 are connected through the Internet 3. A SAM (Secure Application Module) 1 is connected to the application server 2, and a reader/writer 5 is connected to the client terminal 4. The reader/writer 5 may be provided as being contained in the client terminal 4. The SAM 1, the application server 2, the client terminal 4, and the reader/writer 5 are provided by a service provider, for example.
Also, in the example in FIG. 1, an IC card 6, in which a contactless IC chip 7 is embedded, is in close vicinity of the reader/writer 5, and thus the IC card 6 can perform short-distance communication with the reader/writer 5 using electromagnetic induction. The IC card 6 is carried around by a user of the services.
The SAM 1 is a tamper-resistant apparatus, and performs encryption processing and management of a key used in the encryption processing. The SAM 1 encrypts a command supplied from the application server 2, and outputs the encrypted command to the application server 2. The SAM 1 and the IC chip 7 individually have a common key, and encryption communication is performed between the SAM 1 and the IC chip 7 by the transmission and receiving of the information encrypted by that key through each of the apparatuses.
The application server 2 outputs the command (command to be executed by the IC chip 7) created in response to a request from the client terminal 4 to the SAM 1. Also, when the encrypted command is supplied from the SAM 1, the application server 2 transmits it to the client terminal 4. An HTTP (Hyper Text Transfer Protocol) server and an HTTP client are implemented in the application server 2 and the client terminal 4, respectively. Such data transmission and receiving are performed by the HTTP communication.
Also, the application server 2 transmits screen information to the client terminal 4, and displays it on the display of the client terminal 4.
The client terminal 4 transmits a predetermined request to the application server 2. At the same time, when a command is transmitted from the application server 2, the client terminal 4 supplies the command to the IC chip 7 through the reader/writer 5 to execute it.
The IC chip 7 decrypts the encrypted command that has been transmitted from the SAM 1 through the reader/writer 5, etc., and executes the command. When the content of the command is, for example to instruct to rewrite electronic money, the command also includes amount-of-money information to rewrite, etc.
In a system having such a configuration, for example when a user of the IC card 6, who is a user of an electronic money service, pays for goods using electronic money stored in the IC chip 7, a payment request of the goods is transmitted from the client terminal 4 to the application server 2 in response to the user holding the IC card 6 above the reader/writer 5. The application server 2, which has received the request, creates the command (Read command) for requesting the IC chip 7 to read the balance of the electronic money.
The Read command created by the application server 2 is encrypted by the SAM 1, and then is transmitted to the IC chip 7 through the application server 2, the Internet 3, the client terminal 4, and the reader/writer 5. After the Read command is decrypted in the IC chip 7, the Read command is executed.
The balance which has been read by the execution of the Read command is encrypted by the IC chip 7, and then is transmitted to the SAM 1 through the reader/writer 5, the client terminal 4, the Internet 3, and the application server 2 as a response to the application server 2. The SAM 1 decrypts the encrypted balance transmitted from the IC chip 7, and the decrypted balance is transmitted to the application server 2.
Thus, it is possible for the application server 2 to check the current balance of the electronic money stored in the IC chip 7.
When the application server 2 checked the balance, the application server 2 creates the command (Write command) for requesting the IC chip 7 to rewrite the balance (replace the previous balance with the difference when the price of the goods is subtracted from the previous balance) of the electronic money.
In the same manner as the Read command transmitted before, the Write command created by the application server 2 is encrypted by the SAM 1, and then is transmitted to the IC chip 7 through the application server 2, the Internet 3, the client terminal 4, and the reader/writer 5. After the Write command is decrypted in the IC chip 7, the Write command is executed. The Write command also includes information indicating the new balance. Thus, the balance of the electronic money stored in the IC chip 7 becomes the difference when the price of the goods is subtracted from the previous balance.
For example, after the processing is performed, such as a message notifying the completion of the subtraction from the previous balance is transmitted from the IC chip 7 to the application server 2, a series of processing is terminated. The payment of the price of the goods is carried out by such processing.
In this regard, at the time of starting a series of processing, the identification information of the IC chip 7, the information stored in the area allocated to an electronic money service out of the memory disposed in the IC chip 7, etc., are transmitted from the IC chip 7 to the SAM 1. Mutual authentication using the key calculated by the SAM 1 is performed between the SAM 1 and the IC chip 7 on the basis of the transmitted information, etc. When the mutual authentication has been successful, the encryption of the above-described data (command), the decryption of the encrypted data, etc., are performed using the key information calculated at the time of the mutual authentication. Japanese Unexamined Patent Application Publication No. 2004-274211 has disclosed a system in which mutual authentication is performed, and the processing is performed between the SAM and IC chip that have succeeded in the mutual authentication.
FIG. 2 is a diagram illustrating an example of the software configuration of the SAM 1.
As shown in FIG. 2, the SAM 1 is provided with software including a common portion 11 and logic 12.
The common portion 11 is a software module provided in common for SAMs achieving any services. The common portion 11 includes the descriptions of the algorithms for performing, for example the mutual authentication with the IC chip, which is performed using the key information calculated by the logic 12, the encryption of the command created by the application server 2, the decryption of the encrypted data by the IC chip, etc.
The logic 12 is a software module provided differently for each service (for each memory area (area for reading and writing data) of the IC chip to be an access destination). The logic 12 includes, for example the description of the algorithm for calculating the key information used for the mutual authentication, the data encryption, the decryption of the encrypted data on the basis of the information obtained from the IC chip to be the communication party on the other end at the start time of the communication.
The common portion 11 performs the encryption processing (the mutual authentication, the data encryption, the decryption of the encrypted data) using the key information calculated by the logic 12 appropriately.
In this regard, the software configuration shown in FIG. 2 may be not included in the SAM 1, and may be included in the application server 2. In this case, the encryption processing is performed by the application server 2 itself.