JP6828548B2 - Electronic information storage medium, IC card, tampering check method and tampering check program - Google Patents

Description

The present invention relates to the technical field of electronic information storage media such as IC (Integrated Circuit) chips.

IC cards are used for credit cards, bank cash cards, ETC (registered trademark) (Electronic Toll Collection System) cards, SIM (Subscriber Identity Module Card) cards, etc., and high security is required due to the characteristics of their use. ing.

The IC chip mounted on the IC card performs calculations for authentication, storage of keys, and the like, and is exposed to various external attacks in order to illegally obtain such information. Typical examples of such attacks include power consumption analysis attacks such as SPA (Simple Power Analysis) attacks and DPA (Differential Power Analysis) attacks, DFA (Differential Fault Analysis) attacks, and data falsification by laser irradiation.

The power consumption analysis attack focuses on the fact that the power consumption of the IC card correlates with the processing content, and illegally obtains information by measuring the power consumption and performing statistical processing. On the other hand, Patent Document 1 discloses a countermeasure technique against a power consumption analysis attack.

Japanese Unexamined Patent Publication No. 2005-322018

On the other hand, in an attack by laser irradiation, the information stored in the IC chip can be illegally obtained or the IC chip can be obtained by irradiating the IC chip with a laser and falsifying the data stored in the IC chip. It is carried out for the purpose of inducing fraudulent processing (such as normal termination by authentication processing using an incorrect key).

Conventionally, as a countermeasure against attacks by laser irradiation, important data has been duplicated and verified by error detection data (CRC (Cyclic Redundancy Check), etc.), and when fraudulent activity is detected, IC Error processing such as stopping the function of the chip is performed. Here, when an attacker carries out an attack by laser irradiation, where the target data is stored on the IC chip (or where the execution program of the target process is stored) is the appearance of the IC chip. I can't know from. Therefore, as one of the attack methods, there is a method of irradiating multiple places on the IC chip with a laser and narrowing down the attack target while checking the behavior of the IC chip (whether error processing has been performed, etc.) at that time. .. At this time, the attacker repeats the attack against a large number of IC cards until the attack is successful, and how many IC cards the attacker consumes is an index of the security evaluation of the IC card. It becomes one of.

Therefore, in the present invention, an attacker who attacks by laser irradiation is required to have a high security level in a storage area on an electronic information storage medium such as an IC chip (for example, a private key, a PIN (Personal Idendification Number), etc.). It is an object of the present invention to provide an electronic information storage medium or the like in which the position where) is stored cannot be easily specified.

In order to solve the above problems, the invention according to claim 1 includes a normal storage area and a security storage area for storing security data having a higher security level than the data recorded in the normal storage area. A storage means for storing check data in the normal storage area, a security storage area, a check means for performing a tampering check on a storage area in which the check data is stored, and a tampering check. As a result, it is characterized by providing an error processing means for performing error processing when tampering is detected.

The invention according to claim 2 is the electronic information storage medium according to claim 1, wherein a plurality of the check data are distributed and stored in the normal storage area. ..

The invention according to claim 3 is the electronic information storage medium according to claim 1 or 2, further comprising a security process execution means for executing a security process using the security data, and the check means is the above-mentioned check means. The storage area in which the check data is stored is checked for falsification at least at any time before, during, or after the execution of the security process.

The invention according to claim 4 is the electronic information storage medium according to any one of claims 1 to 3, wherein the checking means performs a falsification check on the security storage area at the same time. It is characterized in that a falsification check is performed on a storage area in which the check data is stored.

The invention according to claim 5 is the electronic information storage medium according to any one of claims 1 to 4, wherein the check data is data having a fixed length of a predetermined value, and the storage means is When the comparison data having a predetermined value having the same fixed length as the check data is further stored, and the check means performs a tampering check on the storage area in which the check data is stored, the check data and the check data are stored. It is characterized in that the comparison data is compared.

The invention according to claim 6 is an IC card including the electronic information storage medium according to any one of claims 1 to 5.

The invention according to claim 7 has a normal storage area and a security storage area for storing security data having a higher security level required than the data recorded in the normal storage area. A tampering check method in an electronic information storage medium provided with a storage means for storing check data in an area, the security storage area and a check step of performing a tampering check on the storage area in which the check data is stored. It is characterized by including an error processing step of performing error processing when tampering is detected as a result of the tampering check.

The invention according to claim 8 has a normal storage area and a security storage area for storing security data having a higher security level required than the data recorded in the normal storage area. A check means for checking a computer included in an electronic information storage medium including a storage means for storing check data in an area for tampering with the security storage area and the storage area in which the check data is stored, the tamper check. As a result of the above, it is characterized in that it functions as an error processing means for performing error processing when tampering is detected.

According to the present invention, falsification check is performed on the security storage area and the normal storage area, and error processing is performed not only when the security storage area is falsified but also when the check data in the normal storage area is falsified. Therefore, when the check data by the attacker is attacked, the error processing is performed, so that the attacker can misunderstand that the security data is stored in the check data part. Therefore, the attacker cannot easily identify the location where the security data with a high required security level is stored.

It is a figure which shows the hardware configuration example of the IC chip 1a mounted on the IC card 1 in this embodiment. It is a figure which shows the structural example of the storage area of the flash memory 13 in this embodiment. It is a figure which shows the configuration example of the check data storage position table T in this embodiment. It is a flowchart which shows the operation example of the CPU 10 in this embodiment. It is a figure which shows the configuration example of the check data storage position table T2 in the modification.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. First, the outline configuration and functions of the IC chip 1a mounted on the IC card 1 will be described with reference to FIG. 1 and the like. FIG. 1 is a diagram showing a hardware configuration example of the IC chip 1a. The IC card 1 is used as a credit card, a bank cash card, an ETC card, an electronic money card, an employee card, and the like. Alternatively, the IC card 1 is incorporated in a communication device such as a smartphone or a mobile phone. The IC chip 1a constitutes the electronic information storage medium of the present invention, and the electronic information storage medium may be configured by being directly incorporated on a circuit board of a communication device.

[1. Outline of IC chip 1a Configuration and function]
As shown in FIG. 1, the IC chip 1a includes a CPU 10, a ROM (Read Only Memory) 11, a RAM (Random Access Memory) 12, which is a volatile memory for temporarily storing data, and a flash, which is a non-volatile memory. It is configured to include a memory 13 and an I / O circuit 14. In addition, "Electrically Erasable Programmable Read-Only Memory" may be adopted instead of the flash memory.

The I / O circuit 14 serves as an interface with the external terminal 2. As a result, the IC chip 1a can perform contact or non-contact communication with an external terminal including an IC reader / writer. In the case of the contact type IC chip 1a, the I / O circuit 14 is provided with, for example, eight terminals C1 to C8. For example, the C1 terminal is a power supply terminal (terminal that supplies power to the IC chip 1a), the C2 terminal is a reset terminal, the C3 terminal is a clock terminal, the C5 terminal is a ground terminal, and the C7 terminal is for communicating with an external terminal. It is a terminal. On the other hand, in the case of the non-contact type IC chip 1a, the I / O circuit 14 is provided with, for example, an antenna and a modulation / demodulation circuit. Examples of external terminals include IC card issuing machines, ATMs, ticket gates, authentication gates, and the like. Alternatively, when the IC chip 1a is incorporated in a communication device, the external terminal corresponds to a control unit that has a function of the communication device.

The RAM 12 stores, for example, data temporarily required for the OS, middleware, and various applications to function.

The flash memory 13 stores programs such as an OS, middleware, and applications, and various data.

Here, the structure of the storage area formed by the flash memory 13 will be described with reference to FIG. The storage area formed by the flash memory 13 includes a security area 131 and a normal area 132. The security area 131 is used for security such as private key, authentication key for telephone function, key data such as Java (registered trademark) Key class object, PIN (Personal Identification Number) for telephone function, and encryption calculation and comparison calculation. Stores security data with a higher required security level than data stored in the normal area 132, such as program code for related processing.

The normal area 132 stores various programs and data that are not stored in the security area 131. Further, the normal region 132 stores check data C for checking whether or not a laser attack (data falsification) by an attacker targeting the IC chip 1a has been performed. At this time, in order to evenly check the entire area 132 of the normal region, it is preferable to physically disperse and store a plurality of check data C. Further, the check data C of the present embodiment is composed of a predetermined value having a fixed length (for example, 1 byte). The size of the total area for storing the check data C in the entire normal area 132 may be set in advance by the designer in consideration of the amount of data that must be stored elsewhere, or the OS may set it. The configuration may be changed as appropriate according to the amount of data that must be stored.

FIG. 3 is a diagram showing a configuration example of a check data storage position table T used when specifying a position where the check data C is stored (stored) in the normal area 132. The check data storage position table T is stored in the flash memory 13. In the check data storage position table T, information indicating an INDEX and an address is described for each check data C. For the address, information indicating the position where the check data C is stored in the normal area 132 is described. The description method may be an absolute address specification method or a relative address specification method.

The CPU 10 is an example of a computer, and is an arithmetic unit that executes various programs stored in the flash memory 13. Various programs include virtual machine programs and applications written in a program language such as Java. The OS and the virtual machine program are described by a plurality of native codes (execution code groups). The OS is software that directly controls the operation of the IC chip 1a. The OS and the virtual machine program may be stored in the ROM 11. In the following description of the process with the OS as the subject, the process is actually performed by the CPU 10 executing the OS.

The OS performs a falsification check to see if a laser attack (data falsification) by an attacker targeting the IC chip 1a has been performed. For a laser attack on the normal region 132, the OS performs a falsification check by using a part or all of the plurality of check data C stored in the normal region 132 as the check data C to be inspected. Specifically, the OS holds comparison data having the same value as the check data C value consisting of a fixed length predetermined value in the flash memory 13 (or RAM 12), and this value is the check to be inspected. A falsification check is performed depending on whether or not the data matches the data C. The OS also checks for tampering with the security area 131. For the falsification check of the security area 131, a conventionally known method (for example, CRC or the like) may be adopted, or the security area 131 may be checked by the check data C as in the normal area 132.

The OS performs error processing when tampering is detected by the tampering check on the security area 131 or the normal area 132. As the error processing, a conventionally known processing (for example, stopping the function of the IC chip 1a) is performed.

[2. Operation of CPU10 (OS)]
Next, a falsification check process of the normal area 132 by the CPU 10 (OS) will be described with reference to FIG. FIG. 4 is a flowchart showing an example of falsification check processing of the normal area 132.

First, the OS (CPU 10 that executes) determines whether or not it is the check time to check the falsification of the normal area 132 (step S101). The check time is set in advance, and for example, the following times (1)-(3) can be set.
(1) Before, during, or after processing (an example of "security processing") using data (key data or control data) stored in the security area 131 (2) IC by a signal from the reader / writer Before the chip 1a starts processing (3) Before the IC chip 1a transmits data to the outside However, since it is a falsification check, it may be performed at a time other than the above (1)-(3). Further, in the falsification check process of the normal area 132, the falsification check is performed on the check data C as the inspection target, but the time of the falsification check of the security area 131 (the time of (1)-(3) above and other conventional times). It may be performed at the same time as (known time, etc.) or at a different time.

When the OS determines that it is not the check time for the falsification check (step S101: NO), the OS performs the process of step S101 again. On the other hand, when the OS determines that it is time to check for falsification check (step S101: YES), the OS refers to the check data storage position table T and randomly extracts INDEX (step S102). For example, the OS randomly selects a predetermined number of INDEXs (set according to the processing performance of the CPU 10 and the processing time allowed for the falsification check processing) among the INDEXs described in the check data storage position table T. For example, use a random value).

Next, the OS specifies an address corresponding to one INDEX extracted in the process of step S102 (step S103). Next, the OS performs a falsification check on the check data C stored in the address specified in the process of step S103 as an inspection target (step S104). Specifically, the OS compares the check data C to be inspected with the comparison data stored in the flash memory 13 (or RAM 12).

Next, the OS determines whether or not it has been tampered with as a result of the tampering check in step S104 (step S105). At this time, if the OS determines that the data has been tampered with (the check data C and the comparison data do not match) (step S105: YES), the OS performs error processing (step S106) and ends the tampering check process. To do. On the other hand, when the OS determines that the data has not been tampered with (the check data C and the comparison data match) (step S105: NO), then the OS has tampered with the number of INDEX extracted in the process of step S102. It is determined whether or not the check has been performed (step S107).

When the OS determines that the falsification check for the number of INDEX cases extracted in the process of step S102 has not been performed (step S107: NO), the OS proceeds to the process of step S103. That is, the OS repeats the loop processing of steps S103 to S107 until all the check data C stored in the address corresponding to the INDEX extracted in the process of step S102 is checked for falsification. In the process of step S103 during the loop processing, the OS specifies the address corresponding to one INDEX that has not been specified during the loop processing so far, among the addresses corresponding to the INDEX extracted in the process of step S102. And.

On the other hand, when it is determined that the falsification check for the number of INDEX cases extracted in the process of step S102 has been performed (step S107: YES), the OS ends the falsification check process.

In the IC chip 1a of the present embodiment described above, the flash memory 13 (an example of the "storage means") is requested from the normal area 132 (an example of the "normal storage area") and the data recorded in the normal area 132. It has a security area 131 (an example of a "security storage area") that stores security data with a high security level, stores check data C in the normal area 132, and CPU 10 ("check means", "error processing". An example of "means") performs a tampering check on the security area 131 and the storage area in which the check data C is stored, and performs error processing when tampering is detected as a result of the tampering check.

Therefore, according to the IC chip 1a of the present embodiment, the security area 131 and the normal area 132 are tampered with, and the check data C in the normal area 132 is tampered with not only when the security area 131 is tampered with. Since error processing is also performed in some cases, the attacker misunderstands that security data is stored in the check data C part because the error processing is performed when the check data C by the attacker is attacked. Can be made to. Therefore, the attacker cannot easily identify the location where the security data with a high required security level is stored.

Further, in the IC chip 1a of the present embodiment, a plurality of check data Cs are distributed and stored in the normal region 132. As a result, the normal area 132 can be widely checked for tampering, and if tampering has been performed, error processing is performed, making it difficult for an attacker to identify the location where security data is stored. Can be made to.

Further, in the IC chip 1a of the present embodiment, the CPU 10 (an example of "security processing execution means") executes security processing using security data, and checks for falsification of the storage area in which the check data C is stored. , It may be performed at least at any time before, during, or after the execution of the security process. Since an attacker attempts to leak data by executing security processing based on data falsified by a laser attack, in this case, at least at least any time before, during, or after execution of the security processing. By performing a tampering check and processing an error if tampering has been performed, it is possible to make it difficult for an attacker to guess the physical position of the security area 131.

Furthermore, the IC chip 1a of the present embodiment may perform a falsification check on the storage area in which the check data C is stored at the same time as the CPU 10 performs the falsification check on the security area 131. In this case, even if it is a laser attack on the normal area 132, by performing the same error processing as the attack on the security area 131 at the same time, the attacker can misidentify the normal area 132 as the security area 131 and secure the security. Attacks on the area 131 can be reduced, and thus the possibility of security data leakage can be reduced.

Further, in the IC chip 1a of the present embodiment, the check data C is data having a fixed length of a predetermined value, and the flash memory 13 (or RAM 12) (an example of "storage means") is the same as the check data C. Further storing the comparison data consisting of a predetermined value of a fixed length, the CPU 10 compares the check data C with the comparison data when performing a tampering check on the storage area in which the check data C is stored. Therefore, the flash memory 13 (or RAM 12) can be effectively used as compared with the case where each check data C has a different length and value (comparison data is stored for each check data C). It is not necessary to keep it), and the processing load of the CPU 10 in the falsification check processing can also be reduced.

[3. Modification example]
Next, a modified example of the above embodiment will be described. The modifications described below can be combined as appropriate.

[3.1. Modification 1]
In FIG. 2, the check data C is not included in the program, but the check data C may be arranged in the program. For example, in the program code, the check data C is defined as dummy data that is not used for processing. The dummy data is not used in the processing of the program, but by defining it so that it can be referred to from the outside, the OS can grasp where the dummy data is stored in the flash memory 13, so check it. It is described in the address field of the data storage position table T. As a result, the check data C can be stored as dummy data in the area where the program of the flash memory 13 is stored.

[3.2. Modification 2]
In the above embodiment, the check data C is data having a fixed length of a predetermined value, but at least one of the length (Length) and the value may be different for each check data C. In this case, as shown in FIG. 5, in addition to the INDEX and the address, the length (Length) and the value of the check data C are described in the check data storage position table T2. Then, at the time of the falsification check process, the check data C for the "length" is specified from the "address" described in the check data storage position table T2, and the check data C and the check data are stored. The "values" described in the position table T2 are compared.

[3.3. Modification 3]
In the above embodiment, the check data C consisting of a fixed length predetermined value is stored in the normal area 132, but a bit string already stored in the normal area 132 at an arbitrary position, length, and value. May be used as the check data C. In the case of the present modification 3, the same check data storage position table T2 as in the case of the modification 2 can be used. According to this modification, it is not necessary to store the check data C having a fixed length of a predetermined value in the normal area 132, so that a large amount of free area in the normal area 132 can be secured. However, if the bit string whose value changes due to normal program execution or the like is used as the check data C, the value of the check data storage position table T2 needs to be rewritten every time the value changes, which increases the processing load of the CPU 10. It is preferable to specify a bit string that does not change and use it as check data C.

[3.4. Modification 4]
The position (address position) for storing the check data C may be different for each IC card 1 (IC chip 1a). In general, an attacker obtains a large number of cards of the same type and guesses the position where security data is stored while changing the position of irradiating the laser one by one, so check as in this modification. By making the position of the data C different for each IC card 1 (IC chip 1a), it is possible to make it more difficult to specify the position where the security data is stored.

1 IC card 1a IC chip 10 CPU
11 ROM
12 RAM
13 Flash memory 131 Security area 132 Normal area 14 I / O circuit C Check data

Claims (8)

A storage area having a normal storage area and a security storage area for storing security data having a higher security level required than the data recorded in the normal storage area, and storing check data in the normal storage area. Means and
A check means for performing a falsification check on the security storage area and the storage area in which the check data is stored, and
An error handling means that performs error handling when tampering is detected as a result of the tampering check, and
An electronic information storage medium characterized by comprising. The electronic information storage medium according to claim 1.
An electronic information storage medium characterized in that a plurality of the check data are distributed and stored in the normal storage area. The electronic information storage medium according to claim 1 or 2.
Further provided with a security process execution means for executing the security process using the security data,
The check means is an electronic information storage medium characterized in that a falsification check is performed on a storage area in which the check data is stored at least at any time before, during, or after the execution of the security process. .. The electronic information storage medium according to any one of claims 1 to 3.
The check means is an electronic information storage medium characterized in that a falsification check is performed on a storage area in which the check data is stored at the same time as a falsification check is performed on the security storage area. The electronic information storage medium according to any one of claims 1 to 4.
The check data is data having a fixed length and a predetermined value.
The storage means further stores comparison data having a predetermined value having the same fixed length as the check data.
The check means is an electronic information storage medium characterized in that when a falsification check is performed on a storage area in which the check data is stored, the check data and the comparison data are compared. An IC card including the electronic information storage medium according to any one of claims 1 to 5. A storage area having a normal storage area and a security storage area for storing security data having a higher security level required than the data recorded in the normal storage area, and storing check data in the normal storage area. A method for checking for tampering in an electronic information storage medium provided with means.
A check process for performing a falsification check on the security storage area and the storage area in which the check data is stored, and
An error processing process that performs error processing when tampering is detected as a result of the tampering check, and
A tampering check method characterized by including. A storage area having a normal storage area and a security storage area for storing security data having a higher security level required than the data recorded in the normal storage area, and storing check data in the normal storage area. A computer included in an electronic information storage medium equipped with means,
A check means for checking for falsification of the security storage area and the storage area in which the check data is stored.
An error handling means that performs error handling when tampering is detected as a result of the tampering check.
A tampering check program characterized by functioning as.

Images