1) Field of the Invention
The present invention is applicable to a card-type storage medium such as an IC card used as a cashless payment card, an ID card, a medical health management card, a local government service card, etc. More specifically, the present invention relates to a method for managing and strengthening security at the time of file access to such a card-type storage medium, and a card-type storage medium and a transaction apparatus therefore realizing said method.
As represented by forgery of prepayment cards such as telephone cards, crimes of forgery of cards and fabrication of data in cards tend to increase in recent years. Therefore, there is a requirement on a more sophisticated and more complex security function to a system using such a card therein.
Particularly, the card-type storage medium such as an IC card, which will spread more widely in the future, keeps therein data more than hundred times those kept in a magnetic card. To prevent leak of information, or forgery or fabrication of the information, consideration for the security of the system using such a card-type storage medium is very important.
2) Description of the Related Art
As shown in FIGS. 14 and 15, an IC card (a card-type storage medium) 100 has, in general, a microprocessor unit (MPU) 101 and a storage (file area, for example, an EPROM or an EEPROM) 102, and is connected to a transaction apparatus (an external apparatus) not shown via a terminal unit 103.
The storage 102 has a data area in which data files are kept and a directory area in which control information (pointers, etc.) for the data files in the data area. The MPU 101 manages the data files in the data area in the storage 102 on the basis of the control information in the directory area.
For instance, when receiving an access command from the external transaction apparatus via the terminal unit 103, the MPU 101 performs a reading process (a read access), a writing process (a write access), an erasing process (an erase access), a rewriting process (a rewrite access) or the like, on the storage 102 in response to the access command.
The MPU 101 has a RAM 101B used as a work area upon a control operation along with a ROM 101A keeping a program for the control operation therein. In the case of the IC card 100 of an ISO type, the terminal unit 103 is provided with eight contacts (VCC, RST, CLS, RFU, GND, VPP, I/O and RFU).
In such an IC card 100, the storage 102 keeps data more than 100 times those kept in a magnetic card. To prevent leakage, forgery and fabrication of the data kept in the storage, there are generally set an access capability (a capability for access) and an access right corresponding to the access capability to carry out a security check.
For instance, the storage 102 in the IC card 100 keeps in advance an access capability and an access right as fundamental information for security. The access capability is to verify a capability of a person such as a card issuer, a card holder, an application provider, a service executor, a service provider and the like, who issues a command to the IC card 100. The access right (read right, write right, etc.) is set correspondingly to the above-mentioned access capability for each file kept in the storage 102, which defines an access process that a person having an access capability for each data file can perform.
As shown in FIG. 16, when a data file stored in the storage 102 of the IC card 100 is accessed from the external transaction apparatus (an application A) 110, a select command is issued to select and determine a data file that is an object of the access among the data files stored in the storage 102 in the IC card 100, a verify command is then issued to authenticate an access capability to get an access to that data file. This authentication process is performed on the basis of an authentication code sent from the transaction apparatus 110. After that, when receiving an access command (read record or write record) from the transaction apparatus 110, the IC card 100 verifies whether the access command is of an access type (read, write or the like) which has been permitted beforehand as an access right corresponding to the authenticated access capability.
The security check with the access capability and the access right as stated above will be next described in more detail referring to FIG. 17. Assuming that "OK", "OK", "NG" and "NG" are set to a service provider, a card issuer, a service executor and a card holder, respectively, as a read right (an access right) for a data file stored in a storage 102 of an IC card, as shown in FIG. 17. In other words, the service provider and the card issuer can perform a reading process on that data file.
Under such circumstances where the read right is set, if an application operable with an access capability of the service provider issues a read command (READ) as shown in FIG. 17, the IC card permits the read access to a data file since "OK" is set to the access right in terms of READ of the service provider for that data file in the IC card 100.
On the other hand, when an application operable with an access capability of the service executor issues a read command, the IC card 100 rejects the read access to a data file since "NG" is set to the access right in terms of READ of the service executor for that data file in the IC card 100.
As stated above, the security at the time of access to a data file stored in a conventional IC card (a card-type storage medium) is ensured with two points, that is, the access capability and the access right. However, if information about a relation between the access capability and the access right leaks outside, an incorrect application can easily access to data files in an IC card. For this, there is a requirement to improve a security function upon accessing files in the IC card in order to prevent an access from an incorrect application if the information about the relation between the access capability and the access right leaks outside, or if another person unlawfully obtains the information about the access capability and the access right.
In a typical IC card system, a transaction is done between the IC card and the application in one-by-one correspondence. With an increase of more diversified, sophisticated needs of the users, there appears a system operable in a mode where a plurality of applications can simultaneously use the same one IC card. In such a system, the security function attached to the present IC card is insufficient. Such a system requires a security function which can manage applications in an IC card, where simultaneous accesses from a plurality of applications should be taken into consideration.
As described by reference to FIG. 16, in the conventional command process based on an assumption that each command is issued from the same application (the application A in FIG. 16), a security check is made with only the access capability and the access right. It is therefore impossible to specify an application that has issued the command.
In a system in which a plurality of applications are simultaneously accessible to the same one IC card, if, after an application has issued a select command and a verify command to select and determine a data file that is an object of the access and has authenticated the access capacity, a different application B issues an access command to that data file, the IC card 100 accepts the access command from the application B since the IC card 100 mistakenly takes that access command as an access command issued from the same application in the conventional command process. As a result, the application B can get an unauthorized access to that data file.
Problems for the security function of the conventional IC card are summarized as follows:
(a) If an incorrect application gets unauthorized security information (an access capability, an access right), the present security function allows an unrightful access to a data file: PA1 (b) In a system in which a plurality of applications are simultaneously accessible to the same one IC card, if, after a data file that is an object of an access has been determined, a different application tries to get an access to that data file, the system allows that unauthorized access.