This application is based on French Patent Application No. 97/09821, filed on Jul. 31, 1997, which is incorporated by reference herein.
1. Field of the Invention
The invention relates to smart card readers, and more particularly readers whose operation is protected by a security component executing specific programs related to the security of an application.
2. Related Background
Smart card readers are known which are dedicated to the execution of a specific application and which must be protected so that there is no fraud during the execution of the application (notably when the application has financial implications).
These readers have a microcontroller provided with a read only program memory, for executing an application program fixed in this memory. And they also have a security component, distinct from the microcontroller, capable of executing specific programs (related to security or to confidential elements of the application) under the control of the microcontroller so that any communication of data between the smart card and the security component necessarily passes through the microcontroller.
The security component is therefore in some way itself also a microcontroller, with its program memories, but it is not directly connected to an input connector of the reader. It communicates only with the microcontroller which for its part is connected to the input connector. The microcontroller can therefore communicate either with the smart card inserted in the input connector or with the security component and, given that the application is fixed and is run as soon as a smart card is inserted in the reader, it is the microcontroller which acts as a master with respect to the smart card and with respect to the security component.
In order to illustrate the problem which the present invention aims to resolve, an example can be given of a smart card reader dedicated to a particular application placed under the control of a manager for the application, and it is this manager which sells smart cards. Only the cards issued by the provider are authorised. The task of the security component is notably to detect, by means of ciphering and deciphering algorithms, that the card placed in the reader is an authorised card. The microcontroller of the reader controls the running of the entire application; it transmits instructions to the security component and controls the data communication between the card and the security component.
A standard user of the application obviously does not have access to the programs and data of the non-volatile memories of the security component. And the microcontroller programmed by means of a read only memory constitutes the necessary barrier for this user not to be able to know what is occurring in the security component, or to modify it. For example, if the program requires the security component to supply data to the card, it supplies them in principle in encrypted form. And the application program, fixed in the read only memory and therefore not able to be modified by a user, does not provide access to the non-volatile memory areas of the security component.
However, the manager of the application may need, for reasons of testing, fault diagnosis, or even the need for slight modifications in the parameters of the application, to control certain memory contents of the security components, or to modify these contents.
One solution would be to leave the terminals of the security components partly accessible, for example so that it is possible to access them by means of test prods after opening the reader. However, in practice, for security reasons, it is preferred to embed the access pins of the security component completely in a resin.
It can also be envisaged that the read only program memory of the microprocessor contains, in addition to the program of the application to which the reader is dedicated, other programs triggered by special protocols. These programs would therefore be present in advance in the read only memory of the microprocessor and would comprise a priori all the programs for access in read mode or write mode that the manager of the application could need to use subsequently. This is difficult to envisage, and even dangerous if the secret data have to be used (secret code for example).
The aim of the present invention is to propose a means for the manager of the application to be able to gain access easily, for test, diagnosis or modification purposes, to the security component, that is to say in practice to certain memory areas of this security component, without jeopardising the security of the application.
For this purpose, the invention proposes a smart card reader whose microcontroller has two operating modes, a normal operation, for the use of a standard user, for executing the fixed application program to which the reader is dedicated, and a xe2x80x9ctransparentxe2x80x9d operation, of which the standard user does not have use, in which the microcontroller can receive a smart card or a probe simulating a smart card, access instructions which it interprets not as instructions for access to its own memories, but as instructions for access to the memories of the security component.
More precisely, the invention proposes a card reader having an input connector, a microcontroller, and a security component executing programs under the control of the microcontroller, the microcontroller having a normal operating mode in which it executes a program contained in its read only memory, characterised in that the microcontroller also has a so-called xe2x80x9ctransparentxe2x80x9d operating mode, in which it sets itself automatically to receive a specific code on the input connector and in which it receives from the input connector addressing instructions for memory areas and executes these instructions, interpreting them as being instructions for access to memory areas of the security component.
Thus, although the security component cannot be in direct communication with the input connector, it becomes possible to gain access to memory areas of this component: after going into transparent mode, an address for access to a memory area ceases to be interpreted as a memory address of the microcontroller and becomes a memory address of the security component. The microcontroller will then execute an addressing subroutine for the security component. Conversely, in normal mode, an instruction for addressing a memory area supplied by the input connector is always interpreted as being an addressing instruction for a memory area of the microcontroller.
In practice, the transparent operating mode has four main instructions, which are respectively:
powering up of the security component;
reading a data item at a memory address;
writing a data item to a memory address;
switching off the security component.
If the security component has an electrically programmable non-volatile memory, notably for reasons of customisation, it will be possible to have access to this memory, for the application manager but not for the standard user, in order to change the data thereof. The transparent operating mode will therefore make it possible to modify the content of the areas which cannot be modified by the program executed in normal mode.