The invention relates to the replacement of the operating system in a limited-resource portable data carrier which has no or at most a restricted user interface. Primarily, the invention relates to the replacement of the operating system in data carriers of the chip card type or in data carriers with other form factors, whose main constituent is a smart card chip. In particular, the invention relates to the replacement of the operating system of a machine readable electronic identity document.
The control of personal data is more and more effected with the aid of machine readable electronic identification documents which typically contain a data page in the manner of a chip card or which are completely configured as a chip card or ID card in a similar format. Access and dealing with personal data are subject to special security requirements. Primarily, it must be ensured that access is not effected by unauthorized parties and that personal data are not impermissibly changed. Mechanisms for safeguarding the personal data are specified e.g. in the technical guideline TR-03110 “Advanced Security Mechanisms for Machine Readable Travel Documents”, version 2.10, issued by the Federal Office for Information Security (BSI), (available at: https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03110/index_htm.html). In this guideline there are described, among other things, the protocol “Extended Access Control” (EAC) as well as the protocol “Password Authenticated Connection Establishment” (PACE). PACE is a mutual authentication mechanism executed between a chip of a machine readable identity document and a terminal, which is based on a common password. EAC is a protocol for mutual authentication executed between a chip of a machine readable identification document and a terminal, which comprises two sub-protocols, namely terminal authentication (TA) and chip authentication (CA). Within the framework of the terminal authentication, a terminal proves to the chip, with the aid of a sequence of certificates, the authorization for accessing personal data stored in the chip. In the chip authentication, the terminal verifies the authenticity of the chip and a secret symmetric key is agreed upon, with which the subsequent further data exchange is encrypted.
The mechanisms described in the TR-03110 ensure in an effective manner that only authorized terminals can access a chip of a machine readable electronic identification document and that, where applicable, read-out personal data stem from an authentic chip. The reading of personal data from the chip of an electronic identification document is thus sufficiently ensured by the TR-03110.
But bringing data into a machine readable electronic identification document, in particular bringing in data of the operating software of the chip of an electronic identification document, however, is not addressed by the TR-03110. The bringing in of operating software data of the chip of an electronic identification document has hitherto not played a role, because the operating system of usual smart card chips was typically stored in a ROM-memory and changes were only possible with considerable effort. In addition, the average lifetime of usual electronic identification documents is only a few years, typically one to three years, so that possibly required changes of the operating system could simply be performed by issuing a new card generation.
For the electronic identification documents upcoming now longer lifetimes of e.g. 10 years are demanded, however. If within such a lifetime a change of the operating system should become necessary, the hitherto practice to perform such changes with the next card generation may lead to considerable disadvantages. The case could occur that an important function provided by an identification document is no longer executable or it may become necessary to replace identification documents prematurely, which is connected with accordingly high costs.
Furthermore, from the US 2009/0026275 A1 there is known an automatically configurable smart card in which generic data are recognized and are migrated when the smart card is booted for the first time.
The EP 2 388 151 A2 discloses a manufacturing process for an electronic passport (e-passport). The passport also has, besides an operating system, a logical data structure (LDS). This data structure can be updated without changing the operating system.