JPS62211756A - IC card test method - Google Patents

Abstract

PURPOSE:To surely execute testing by judging whether given command is regular test program start command or not at the time of a start command is given to a test program inside of an IC card and erasing all content of memory before entering test mode. CONSTITUTION:A check circuit 22 that checks propriety of test program start request of a card is provided with an I/O terminal and a reset terminal for making giving and taking of data with the terminal with the card mounted to the terminal. A memory erasing circuit 28 takes in a memory erasing start signal at the time of it is judged by the result of comparison from a comparing section 25 that regular program start request occurred, and gives, for instance, a chip erase instruction to a data memory 21, and enters testing operation after waiting for completion of erasing of the content of the memory 21.

Description

DETAILED DESCRIPTION OF THE INVENTION [Technical Field of the Invention] The present invention relates to an IC card testing method that takes into consideration safety when starting a test program stored in an IC card.

[Prior art and its problems] In recent years, it has become known as the cashless era, and by using cards issued by credit card companies, it has become possible to purchase products without handling cash.

Cards conventionally used include plastic cards, embossed cards, and magnetic stripe cards, but these cards are easy to forge due to their structure, so unauthorized use has become a problem.

In order to solve this problem, an information card, a so-called IC card, is being considered in which an IC circuit that stores an authentication number and the like is built into the card so that the authentication number cannot be easily read from the outside.

Incidentally, such an IC card stores various LSIs such as data memory and system program ROM, but in particular, data memory addressing, write/read operations, and bit pattern status of system program ROM are always normally performed. Therefore, it is necessary to be able to test these conditions when the card is completed or even while the card is in use.

Therefore, in conventional IC cards, a test program is stored, and this program is executed from outside the card using a test terminal provided on the card to enable a predetermined test.

However, by starting the test program like this, I
If the C card is placed in the test mode, all of the card's secrecy is no longer maintained, so there is a risk that all confidential contents held in the IC card's memory may be read out. This not only makes it possible to forge cards based on this information, significantly reducing security, but in the worst case scenario, the technology of the entire system that uses IC cards can be analyzed and exploited for grand scheme. There was a risk.

[Purpose of the invention]

The present invention has been made in view of the above circumstances, and an object of the present invention is to provide an IC card testing method that can reliably ensure safety when executing a test program in an IC card.

[Summary of the Invention] The IC card testing method according to the present invention detects when a start command is given to the test program inside the IC card, determines whether it is a legitimate test program start command, and switches the IC card to test mode. The configuration is such that all contents of the data memory are erased before entering.

[Embodiments of the invention] An embodiment of the present invention will be described below with reference to the drawings.

FIG. 1 shows the circuit configuration of the same embodiment.

In the figure, 11 is a system bus, and this system bus 11 includes a data ROM 12, an application data R
An OM 13, a working RAM 14, a system program ROM 15, a test program ROM 16, a main controller 17, a data memory controller 18, a cryptographic comparator 19, and a USART circuit 20 are connected, respectively.

Here, the data ROM 12 stores all operating conditions for the IC card itself, and these condition data are stored as answer-to-reset data (not shown) in accordance with a predetermined format when the internal initialization of the card itself is completed. It is configured to be sent to the terminal side.

The application data ROM 13 contains card type data rAPNJ indicating what type of card this card is.
This data is stored in the answer to
After setting the initial parameters based on the reset data, it is sent out in a predetermined data format when exchanging attributes with the terminal.

The working RAM 14 stores calculation data within the card.

The system program ROM 15 contains various system programs as well as code signals rAcKJ or rNAC indicating whether the signals transmitted and supplied from the terminal side are correct or not.
Equipped with J. In addition, this system program ROM
15 is written with a specific code for finally checking the test program starting command from the terminal.

The test program ROM 16 stores a test program for checking the pit pattern in the system program ROM 15 or accessing the data memory as a test inside the card.

The main controller 17 outputs operation commands to each circuit in accordance with the data signal transmitted and supplied from the terminal side and the operating state.

The data memory controller 18 is the main controller 1
Addressing and data writing/reading to the data memory 21 can be performed in response to commands from 7, and furthermore, these addressing and data writing/reading can be completely stopped.

For example, an EEP-ROM is used as the data memory 21. In this case, such data memory 25 is rc, Aj
, rIPINJ, [PANj, rcHNJ, rEPDJ
, rPRKJ codes, status data rsTJ, and other information. Here, rcAJ (Ca
rd Authenticator) is a random code used to encrypt and decrypt messages.

rIPINJ (Initialization P
personalIdentificationNu
mber) is a random code, for example, 6 bits, and is a number until the own verification number rPINJ is used. rPANJ (Primary Account
Number) represents the account number. rCH
NJ (Card hotter's Name
) represents the cardholder's name. rEPDJ
(Exp i rat i.

n　Date) represents the expiration date.

rPRKJ (Private Key Cod
e) is a decryption code. rsTJ is used to represent the current card status and is sent to the terminal side in data format.

One code comparator decodes the input data transmitted from the terminal side based on the rR3AJ algorithm, and also compares it with a specific code read from the system program ROM 15 if necessary. The output of this cryptographic comparator 19 is then sent to the main controller 17.

The USART circuit 20 controls data transmission to and from the terminal.

On the other hand, 22 is a check circuit for checking whether or not a request to start the test program of the card is made.
has an I10 terminal for exchanging data with the terminal when the card is attached to the terminal, and a Re5et terminal to which a reset signal is applied. Level detectors 23 and 24 are connected to these I10 and Re5et terminals. In this case, in addition to the regular reset signal, a plurality of analog signals with different levels are connected to the I10 terminal and the Re5et terminal, respectively.
It is input in series in synchronization with the clock signal Φ of the lock terminal. Specifically, as shown in FIG. 3, as multi-level signals with different levels, for example, 31a (7) with different 1st positions.
1f voltages VCc1V1 and V2 are used, and these three-value signals are given to the I10 terminal and the Re5et@ terminal in a predetermined order in synchronization with the clock signal Φ. In this state, the level detectors 23 and 24 indicate "O" for VCC, "1" for Vl, and ■2, corresponding to the above three-valued numbers.
In this case, level information of "2" is obtained.

The outputs of the level detectors 23 and 24 are given to the comparator 25. The comparator 25 is supplied with the output of the level matrix 26 . This level matrix 26 has card-specific level information corresponding to the level information from the level detectors 23, 24. Further, the level matrix 26 is given the above clock signal.

Then, the comparison result of the comparison section 25 is the main controller 1.
Sent to 7.

Here, to describe the check circuit 22 in more detail based on FIG. 2, the level detectors 23 and 24 have output terminals 01 and o2, and when the level information is "0",
O”, level information “1” ro1J, level information “2”
”, outputs “10”. The comparator 25 to which the outputs of the level detectors 23 and 24 are supplied has two matching circuits 251 and 252 and a logic circuit 253 to which the outputs of the level detectors 23 and 24 are respectively given, When coincidence outputs are obtained at the same time in circuits 251 and 252,
The logic circuit 253 is configured to provide an output of "1".

On the other hand, the level matrix 26 includes a counter 261 that counts the clock signal, and a count 1-1 of the counter 261.
A matrix unit 262 that outputs read addresses 1 to 10 according to the contents and ternary level information stored in advance according to the address specified in the matrix unit 262.
Storage units 263 and 264 that output “0”, “1”, and “2”
have. In this case, level information "0" is roOJ
, level information "1" is "01", level information "2" is "
10" is output as code data.

The output of the storage section 263 is given to the matching circuit 251, and the output of the storage section 264 is given to the matching circuit 252.

On the other hand, returning to FIG. 1, an output corresponding to the comparison result of the comparing section 25 of the check circuit 22 is given to the memory erasing circuit 28. If the comparison result in the comparator 25 corresponds to a normal program start request, the memory erasing circuit 28 takes it in as a memory erasing start signal and sends it to the data memory 2.
For example, a chip erase command is given to the memory 21 to erase the entire contents of the memory 21. Then, after the completion of erasing the contents of the memory 21, a memory erasure completion signal is sent to the main controller 17.

Note that from the terminal side, power for driving the card is applied to the Vcc terminal, and power for writing to the data memory 21 is applied to the VDp terminal. The power supply voltage at this time is set on the terminal side based on answer-to-reset data stored in the data ROM 12. Further, the GND line on the terminal side is connected to the GND terminal. Furthermore, c l
The clock signal at the ock terminal is passed through the frequency divider 27 to Φ'
is supplied to each circuit as

Here, the relationship between such an IC card and the terminal to which the card is installed will be briefly described as follows. Now, when an IC card is inserted into a terminal, an initial setting signal set in advance on the terminal side is transmitted. Then, the IC card is operated under operating conditions based on this signal.

In other words, the data R is controlled by the main controller 17.
The answer-to-reset data stored in OM12 is read out and sent to the terminal side. and,
If this data is determined to be correct on the terminal side, the card-specific operating conditions are set and rEN
A QJ (makeshift) code will be sent back to you. This code is written into working RAM 14. In this state, the main controller 17 determines whether or not the rENQJ code can be properly received through normal operation.
If YES from system program ROM15, “AC
K", and in the case of NO, the rNAcJ signals are extracted and sent to the terminal side. Then, on the terminal side, r
When the AcKJ signal is confirmed, a different terminal code rTcJ is returned depending on the type of terminal.

On the other hand, if the rNAcJ signal is confirmed, the connection with the terminal is severed. When the terminal code rTcJ is sent from the terminal side, the main controller 17 in the IC card stores the application data in the ROM 13.
A different application name rAPNJ is extracted depending on the type of card stored in the terminal and sent back to the terminal side.

Thereafter, when it is determined on the terminal side whether or not the application types have a correspondence relationship based on rAPNJ, an instruction code is returned. On the other hand, if it is determined that there is no match,
The connection with the terminal is severed. When the command code is obtained in this way, the own authentication number rPINJ entered from the terminal is compared with the authentication number pre-stored in the IC card, and after waiting for the two to match, subsequent financial transactions etc. Information exchange begins.

Next, the operation of the embodiment configured as described above will be explained according to the flowchart shown in FIG.

First, to perform a test, an IC card is attached to a test terminal. Then, the 110 terminal of the IC card, R
The e5et terminal, clock terminal, ycc terminal, vpp terminal, and GND terminal are connected to corresponding terminals on the terminal side.

This causes the process to proceed to step A1. In this step A1, it is determined whether or not the request to start the test program is accepted. To do this, first, multi-value signals of different levels are applied from the terminal side to the I10 terminal and the Re5et* child as a test program starting command. Specifically, by a test command on the terminal side, two sets of ternary voltages Vc with different levels are generated in synchronization with the clock signal as shown in Figure 3.
c, Vl, and V2 are output in series and applied to the 110 terminal and the Re5et terminal.

In this case, in the illustrated example, V2-VCC-Vl is applied to the I10 terminal.
-VCC...-■10 ternary signals are given in the order of 2, and Vl-V2-Vcc...-Vl is applied to the Re5et terminal.
Ten ternary numbers are given in this order. Then, serial level information corresponding to these ternary numbers is sequentially generated from the output terminals o1 and o2 of the level detectors 23 and 24,
The signal is applied to matching circuits 251 and 252 of the comparator 25.

On the other hand, in the level matrix 26, a counter 261 counts the clock signal Φ from the terminal. Then, read addresses from 1 to 10 are outputted from the matrix section 262 according to the count contents of the counter 261. As a result, the serial level information stored in advance in the storage units 263 and 264 in order from addresses 1 to 10 is read out. In this case, the level information read from the storage unit 253 is r2J rOJ rlJ..."2
", and the level information read from the storage unit 254 is output in the order rlJ r2J rOJ . . . "1". These outputs are then given to matching circuits 251 and 252 of the comparator 25, respectively.

As a result, the matching circuits 251 and 252 check whether the level information from the level detectors 23, 24 and the level information from the level matrix 26 match.

In this case, if a matching result is obtained, the logic circuit 25
3 will generate a "1" output, but if the combination of ternary numbers from the terminal is incorrect due to an unauthorized program startup request,
If it differs from what has been stored in advance in the storage units 263 and 264, "0" remains as a non-coincidence result.

The output of the logic circuit 253 in this state is sent to the main controller 17.

In this case, if the 311 signal shown in FIG. 3 is input to the I10 terminal and the Re5et terminal, the matching circuit 251.2
Since matching results are obtained for all of the circuits 52, the logic circuit 253 generates an output of "1". Then, it is determined that the request is a legitimate program activation request, and the process proceeds to step A2.

In step A2, the main controller 17 commands the terminal side to notify that the request has been accepted as a legitimate program startup request.

In this state, a specific code to start the program is sent from the terminal side and given to one cryptographic comparator.

On the other hand, a specific code written in the system program ROM 15 is read out according to a command from the main controller 17, and is given to the code comparator 19. Thereby, in step A3, the specific code from the terminal is compared with the specific code of the card itself. If the comparison results do not match, the process proceeds to step A4, where card invalidation processing is executed. In this case, card invalidation processing is performed by the data memory controller 18 after receiving a command from the main controller 17.
Address designation and writing/reading of data to/from the data memory 21 by the data memory 21 are completely stopped. On the other hand, if they match, the process advances to step A5.

In this step A5, since the comparison result by the comparator 25 in step A1 corresponds to a normal program activation request, this is taken into the memory erasing circuit 28 as a memory erasing start signal. Then, this memory erase circuit 28 gives a chip erase command to the data memory 21, and as a result, the data memory 21
All contents will be deleted. Then, when erasing the contents of the data memory 21 is completed, a memory erasure completion signal is output to the main controller 17. In this state, the process advances to step 86, where the contents of the test program ROM 16 are read out in response to a command from the main controller 17, and the terminal side checks the bit pattern of the system program ROM 15 in the card or accesses the data memory 21. becomes possible.

However, if the combination of 311 signals from the terminal is different from the normal one due to an illegal program activation request in step A1, a mismatch will occur in either of the matching circuits 251 and 252. As a result, the output of the logic circuit 253 remains at "0", and it is determined that an unauthorized activation request has been made, and the process proceeds to step A4. Therefore, in the same manner as described above, the data memory controller 18 performs addressing and data writing/El to the data memory 21.
! All withdrawals will be stopped and the card will be invalidated.

Therefore, in this way, when a request to start the test program inside the IC card is given, all the contents of the data memory can be erased before entering the test mode. Even if the confidentiality of the data is no longer maintained, there is no possibility that the contents of the data memory will be read out. This means that even if the test program inside the IC card is started illegally, the IC card
The security of the card can be reliably ensured, and attempts to extract highly confidential information to the outside can be prevented, so it is possible to prevent counterfeiting of cards and technical analysis of the entire system. This can dramatically improve the security of the card system.

It should be noted that the present invention is not limited to the above-mentioned embodiments, but can be implemented with appropriate modifications without changing the gist.

The above-described combination of level information in the storage units 263 and 264 of the level matrix 26 is an example, and other combinations may also be used.

In this way, even cards using the same IC circuit can be used as cards using different IC circuits. Furthermore, although three-valued numbers have been used throughout in the above description, signals of four or more values may be used, analog signals may be used, and there is no limitation on the number of types of terminals used.

[Effects of the Invention] According to this invention, the contents of the data memory in the IC card are erased in advance when the test program is executed, thereby eliminating the possibility that the memory contents may be read out illegally, thereby preventing card forgery, etc. It is possible to reliably ensure the safety of the card, such as by being able to reliably prevent this.

[Brief explanation of drawings]

FIG. 1 is a block diagram showing the circuit configuration of an embodiment of the present invention, FIG. 2 is a circuit diagram showing a check circuit used in the embodiment, and FIG. 3 is a 3Wi signal diagram used in the embodiment. A time chart is provided for explanation, and FIG. 4 is a flowchart for explanation of the operation of the same embodiment. 15... System program ROM, 16... Test program ROM, 17... Main controller,
18...Data memory controller 1.21...Data memory, 22...Check circuit, 23.24...
・Level detector, 25... Comparison section, 251.252・
... Matching circuit, 253 ... Logic circuit, 26 ... Level matrix, 261 ... Counter, 262 ... Matrix section, 263.264 ... Storage section, 28 ...
Memory erase circuit.

Claims (1)

[Claims] In an IC card test program in which a test program stored in an IC card is executed by a test program start command given from outside the card, the test program start command given from the outside of the card is detected and the start command is executed. and a memory data erasing means for erasing the contents of the data memory that stores the secret information of the IC card based on the result of the judgment made by the means as to whether the command is a legitimate test program starting command. A test method for an IC card, characterized in that the test program is executed after the contents of the data memory are erased by a memory data eraser.