Classifications

• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07F—COIN-FREED OR LIKE APPARATUS
  • G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
  • G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
  • G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
  • G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
  • G06K7/00—Methods or arrangements for sensing record carriers, e.g. for reading patterns
  • G06K7/0013—Methods or arrangements for sensing record carriers, e.g. for reading patterns by galvanic contacts, e.g. card connectors for ISO-7816 compliant smart cards or memory cards, e.g. SD card readers
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
  • G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
  • G06Q20/355—Personalisation of cards for use
  • G06Q20/3552—Downloading or loading of personalisation data
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
  • G06Q20/409—Device specific authentication in transaction processing
  • G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
  • G06Q20/40975—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07F—COIN-FREED OR LIKE APPARATUS
  • G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
  • G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
  • G07F7/0806—Details of the card
  • G07F7/0813—Specific details related to card security
  • G07F7/0826—Embedded security module

Definitions

• the invention relates to smart card readers, and more particularly readers whose operation is secured by a security component executing specific programs linked to the security of an application.
• These readers include a microcontroller provided with a program read only memory, in order to execute an application program frozen in this memory. And they also include a security component, distinct from the ⁇ icrocontroller, capable of executing specific programs (related to security or confidential elements of the application) under the control of the microcontroller in such a way that any data communication between the smart card and the security component must pass through the microcontroller.
• the security component is therefore in a way also a microcontroller, with its program memories, but it is not connected directly to an input connector of the reader. It only communicates with the microcontroller, which is connected to the input connector.
• the microcontroller can therefore communicate either with the smart card inserted in the input connector or with the security component, and, since the application is frozen and takes place as soon as a smart card is inserted into the reader, it is the microcontroller which acts as a master with respect to the smart card and with respect to the security component.
• the present invention aims to solve, we can give the example of a smart card reader dedicated to a particular application placed under the control of an application manager, and it is this manager who sells smart cards. Only cards issued by the service provider are authorized.
• the security component normally has the task of detecting, using encryption algorithms; and decryption, that the card placed in the reader is an authorized card.
• the reader's microcontroller controls the progress of the entire application; it transmits instructions to the security component and controls the data communication between the card and the security component.
• the standard user of the application obviously does not have access to the programs and data of the non-volatile memories of the security component.
• the microcontroller programmed by a read-only memory constitutes the necessary barrier so that this user can neither know what is happening in the security component, nor modify it.
• the program requires the security component to provide data to the card, it in principle provides it in encrypted form.
• the application program frozen in ROM so cannot be modified by a user, does not provide access to the non-volatile memory areas of the security component.
• the application manager may need, for test reasons, a diagnostic of faults, or even the necessity of slight modifications in the parameters of the application, to control certain contents of memory of the security component, or to modify these contents.
• One solution would be to leave the terminals of the security component partially accessible, for example so that they can be accessed via test probes after opening the reader. But in practice, for security reasons, it is preferred to completely drown the access pins of the security component in a resin.
• the program read-only memory of the microcontroller contains, in addition to the program of the application to which the reader is dedicated, other programs triggered by special protocols. These programs would therefore be present in advance in the read-only memory of the microcontroller and would a priori include all of the read or write access programs that the application manager might need to use later. It is hardly possible, and even dangerous if the secret data must be used (secret code for example).
• the object of the present invention is to propose a means so that the application manager can easily access, for testing, diagnostic or modification purposes, the security component, that is to say in practice at certain memory areas of this security component, without compromising the security of the application.
• the invention provides a smart card reader whose microcontroller has two operating modes which are normal operation, for use by a standard user, for the execution of the frozen application program to which the reader is dedicated, and "transparent" operation, which the standard user does not have the use of, in which the microcontroller can receive a smart card or a probe simulating a smart card puce, access instructions which it interprets not as instructions to access its own memories, but as instructions to access the memories of the security component. More specifically, the invention provides a square reader comprising an input connector, a microcontroller, and a security component executing programs under the control of the microcontroller, the microcontroller having a normal operating mode in which it executes a contained program.
• the microcontroller in its read-only memory, characterized in that the microcontroller also has a so-called "transparent" operating mode, in which it is automatically placed on receipt of a specific code on the input connector, and in which it receives from the connector d input of memory area addressing instructions and it executes these instructions by interpreting them as being orders to access memory areas of the security component.
• transparent operating mode comprises four main instructions which are respectively:
• the security component has an electrically programmable non-volatile memory, in particular for personalization reasons, it will be possible to access this memory, for the application manager but not for the standard user, to change the data. .
• the transparent operating mode will therefore make it possible to modify the content of zones which cannot be modified by the program executed in normal mode.
• FIG. 1 shows the general configuration of a chip card reader with microcontroller and security component
• - Figure 3 shows the internal constitution of the security component
• - Figure 4 shows a table of sequences executed by the microcontroller and the test card to achieve the transition to transparent mode
• FIGS. 5 to 8 represent diagrams of sequences executed by the microcontroller, the security component and the (test) card during the execution of each of the main instructions of the transparent mode.
• the reader comprises a CN smart card connector, a microcontroller MC and a security component CS.
• a man-machine interface for example a CL keyboard and an SR screen, to allow the user to enter or read data if necessary for the application.
• the progress of the application will generally be triggered simply by the introduction of a smart card in the reader.
• the connector of CN card constitutes the entry of the reader (in general an entry with six or eight contacts, the exchange of data being carried out by a communication of serial type on one of the contacts).
• the microcontroller MC is connected to the input connector CN by a first link bus B1; it is connected to the safety component CS by a second link bus B2. There is no direct link allowing the passage of data between the security component and the input connector.
• the security component is soldered on a printed circuit forming the heart of the reader, inside the latter. Its connection pins are not physically accessible (in general, not even by test tips because the pins are covered with a protective resin).
• the microcontroller in this type of reader dedicated to a very specific application, has ROM type program memory, that is to say a non-modifiable memory (read-only memory) which contains the instruction sequences allowing the unfolding of the application.
• the microcontroller also has RAM memory allowing the temporary storage of volatile data.
• These memories are associated with an MPI microprocessor which forms the heart of the microcontroller's intelligence.
• it has sufficient input / output lines to communicate with the security components CS on the one hand, with the input connector CN on the other hand, and possibly with the keyboard CL and the screen SR.
• Figure 2 shows the structure of the microcontroller.
• the security component has a similar structure (FIG. 3) because it is in practice constituted by a microcontroller (that is to say an MP2 microprocessor provided with program and working memories), but, as indicated above, it only communicates with the microcontroller and not with the smart card. It is capable of executing programs placed in its ROM read only memory. In addition, it preferably has a portion of non-volatile, electrically writable and erasable memory (EEPROM memory). In this electrically programmable memory, it is possible to place personalization data for the programs executed by the security component. You can also place data representing variable parameters of these programs.
• EEPROM memory non-volatile, electrically writable and erasable memory
• the security component is capable of receiving orders and data on its input lines. It executes orders, stores data in memory, and returns on its output lines results of orders it has executed, in particular secret calculation results carried out by the programs it has in its non-volatile memories (ROM and EEPROM).
• ROM and EEPROM non-volatile memories
• the smart card that is inserted into the reader is capable of supplying commands and data to the microcontroller, and more generally of communicating with the microcontroller.
• the user has a smart card which he inserts into the reader to launch the application.
• a probe that is to say a simulated card, having the contacts required to communicate with the inputs of the reader, but also connected to a computer terminal.
• This simulated card allows communication between the exterior and the reader for test or debugging operations.
• Test chip cards not connected to a computer, but capable of controlling the running of test programs and collecting test data, could also be provided for needs of the application manager (but not for standard reader users).
• the security component CS and the smart card are both slave peripherals of the microcontroller MC in the application executed, in the sense that it is the microcontroller which executes the application program, the smart card and the component executing orders when requested by the microcontroller in the course of the program.
• the card and the security component therefore receive commands (read, write, execution of programs contained in the card or the security component), execute them, and return the execution results to the microcontroller.
• the microcontroller is therefore master with regard to communication with a standard smart card and communication with the security component.
• the users of the reader which will be called standard users, can do only one thing: launch the execution of the standard application program contained in the ROM memory of the microcontroller.
• the standard user has a smart card which was issued by the application manager.
• This card has elements allowing it to be authenticated, in the form of data recorded in memory (data which can be verified by the security component) and possibly in the form of authentication programs which, by comparison with programs contained in the security component, will allow authentication of the card by the latter.
• the microcontroller of the reader detects the insertion of the card, then puts it on, and sends it its first "RESET" command.
• the card receives this command and sends a "RESET RESPONSE"; this response allows recognition of the type of card so that communication can be continued according to a determined protocol.
• the card authentication procedures then take place between the card and the security component, under the control of the microcontroller which remains master.
• the microcontroller energizes the security component, receives its response to the reset, then requests a random number from it, receives this number and retransmits it to the card.
• the latter codes this random number using an encryption program that it has. It returns to the security component, via the microcontroller, the encrypted number, a datum and a signature.
• the security component verifies the authenticity, in particular by verifying that the encrypted value is the correct one, by verifying the concordance of the data and the signature, or possibly by other means.
• the user can request to transfer the data in the security component. If the user has to enter the data to transfer, it is of course necessary that the reader includes peripherals (keyboard, screen) making it possible to make a selection; these peripherals are also managed by the microcontroller and its program.
• the security component calculates the new data of the card and a new signature of the card. Data and signature are encrypted and transmitted to the microcontroller, which writes them to the smart card for future exchange. From then on, the application can start.
• the application is executed by a program contained in the non-volatile memory (ROM and EEPROM) of the security component.
• ROM and EEPROM non-volatile memory
• the invention solves this problem by providing for the automatic passage of the microcontroller into a "transparent" operating mode, different from the normal operating mode, when a special card (or a probe simulating a card and connected to a computer) is inserted into the reader. This transition to transparent mode is not authorized for standard users, and it automatically results from the recognition of a specific code at the input of the reader when the special card is introduced.
• the transition to transparent mode takes place as follows: the application manager, who has the special chip card or the probe containing the specific code, can insert it into the connector of the reader.
• the insertion of this card or probe is detected by the reader according to a conventional procedure (a single contact is used for detection).
• This detection causes the microcontroller to power up the card with reset command (RESET).
• the reset command implies a response from the card (Response to reset).
• the response to the reset includes first (according to ISO 7816-3) information on the communication protocol that will be used later, then a data field that the standard leaves free.
• a specific code not known to standard users of the smart card, is placed by the special card in this field.
• the response to the reset of the special card therefore includes this specific code.
• the specific code is recognized by the microcontroller and triggers the transition to "transparent" mode.
• the microcontroller In the transparent mode, read or write commands in memory, coming from the reader input, that is to say coming from the special card or the probe, can be received by the microcontroller. These orders are accompanied by the memory address which must be read or written. However, the microcontroller then interprets these addresses as being read or write addresses in a memory of the security component and not as a read or write address in a memory of the microcontroller as it would in normal operating mode. .
• the transition to transparent mode can consist in the initialization of a status bit or flag in a register of the microcontroller, this flag remaining in a default state corresponding to the normal mode as long as the specific code has not been recognized by the microcontroller and returning to this default state when returning to normal mode.
• the return to normal mode is carried out by a specific instruction given from the card, or following an incident (removal of the card from the reader, etc.).
• This status bit then reroutes the read or write commands received by the microcontroller from the card, and directs them to subroutines (in the microcontroller's read-only memory) containing simply a read or write order. addressed to the security component.
• the parameters assigned to this order that is to say the address where it is necessary to read or write with the data to be written, are those which are received from the smart card and they are transmitted as such by the subroutine . It will be understood that these read-only routines of the microcontroller only understand the read or write instruction addressed to the security component, but do not include the address at which it is necessary to read or write or the data to be written. The address and the data are simply transported from the working memory of the microcontroller to the security component.
• the security component If the security component is read from a memory zone, the security component transmits the data read to the microcontroller, which transmits it to the smart card.
• the transparent mode can include a small number of commands from the smart card, and in particular:
• An instruction code can be assigned to each of the possible commands; the instruction code corresponding to reading or writing can be exactly the same code which would be used for reading or writing in normal mode but it results in a different execution in transparent mode since it will then consist of a reading or a writing in the security component and not in the memories of the microcontroller.
• the microcontroller in the transparent operating mode, it can be provided that the microcontroller remains master while executing instructions supplied by the special card, and this in the following manner: it is the microcontroller which systematically sends to the card , when it has finished executing a previous sequence, a command to read the card. In other words, he puts himself in constantly listening to a possible command from the card.
• the microcontroller systematically sends a command to read the card; this first returns the length of the command that will follow; the microcontroller then sends to the card a result request (the result is the command itself).
• the card sends the command and a status word.
• the microcontroller checks the status word and executes the command (that is to say, in practice, in transparent mode, it is executed by the security component); then it returns a result if necessary; the card sends an acknowledgment.
• the microcontroller can return a read command.
• FIGS. 4 to 8 summarize the sequences executed by the microcontroller, the security component, and the special card for various instructions executed in transparent mode.
• the diagram in FIG. 4 corresponds to the sequences of passage in transparent mode; the sequences executed are as follows: - by the microcontroller: detection of the presence of a card, powering up (reset) of the card, waiting for response to reset;
• - by card response to reset with specific code in the response
• - by the microcontroller analysis of the response to reset; recognition of specific code; switching to transparent mode, with establishment of the flag for signaling transparent mode.
• FIG. 5 corresponds to a command to energize the safety component:
• FIG. 6 corresponds to an outgoing order being sent to the security component (reading of data): by the microcontroller: sending of a read command to the card; waiting for response;
• - by the microcontroller reception of the response from the card; sending a result request; waiting for response; - by card: receipt of the message; sending a read command, with memory zone address of the security component;
• the microcontroller reception of the response from the card; interpretation of the order; sending a read command from the security component to the address indicated by the card; waiting for the response from the security component;
• - by the microcontroller reception of the response, sending of an order to write the response in the card; waiting for an acknowledgment from the card; - by card: receipt of the message; execution of the writing order; sending of the acknowledgment.
• FIG. 7 corresponds to the sending of an incoming order (writing to a memory of the security component). This order is particularly important for writing to a non-volatile memory (EEPROM) of the security component, for example to modify the personalization of the reader or to modify application parameters: - by the microcontroller: sending a command to à la carte reading; waiting for response;
• EEPROM non-volatile memory
• - by card receipt of the message; sending of a write command in the security component, with write address and data to be written; - by the microcontroller: reception of the response from the card; interpretation of the order; sending of a write command in the security component, with the data indicated by the card and the address indicated by the card;
• - by the security component reception of the message; execution of the write command; sending a status word representing the status of execution of the command;
• - by the microcontroller reception of the message, sending of an order to write the status word in the card; waiting for an acknowledgment from the card;
• FIG. 8 corresponds to the switching off of the safety component and the exit from transparent mode:

Landscapes

• Engineering & Computer Science (AREA)
• Business, Economics & Management (AREA)
• General Physics & Mathematics (AREA)
• Physics & Mathematics (AREA)
• Accounting & Taxation (AREA)
• Theoretical Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Strategic Management (AREA)
• General Business, Economics & Management (AREA)
• Microelectronics & Electronic Packaging (AREA)
• Computer Networks & Wireless Communication (AREA)
• Computer Vision & Pattern Recognition (AREA)
• Artificial Intelligence (AREA)
• Finance (AREA)
• Storage Device Security (AREA)
• Control Of Vending Devices And Auxiliary Devices For Vending Devices (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=9509891

Family Applications (1)

Country Status (8)

Families Citing this family (51)

Family Cites Families (10)

• 1997
  • 1997-07-31 FR FR9709821A patent/FR2766942B1/fr not_active Expired - Fee Related
• 1998
  • 1998-07-27 EP EP98940346A patent/EP1000413A1/de not_active Withdrawn
  • 1998-07-27 CA CA002299173A patent/CA2299173A1/fr not_active Abandoned
  • 1998-07-27 JP JP2000505617A patent/JP2001512270A/ja active Pending
  • 1998-07-27 US US09/485,044 patent/US6669096B1/en not_active Expired - Fee Related
  • 1998-07-27 WO PCT/FR1998/001659 patent/WO1999006970A1/fr not_active Ceased
  • 1998-07-27 AU AU88688/98A patent/AU8868898A/en not_active Abandoned
  • 1998-07-27 CN CN98807805A patent/CN1265762A/zh active Pending

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events