This invention relates generally to secure portable tokens, such as smart cards and in particular to smart cards having reloadable applications.
As is well known, a smart card may be a plastic, credit card-sized card containing a semiconductor chip, such as a microprocessor built into the smart card so that it may execute some simple application programs, which may be referred to as applets. Some examples of the applications in a smart card include security and authentication, information storage and retrieval, and credit and debit operations for managing value accounts, such as prepaid phone time and debit accounts. Each value account application on the smart card has a particular type of use rights associated with the application. For example, a prepaid phone time application may have a predetermined number of prepaid phone minutes that are used up as phone calls are made with the card, and a prepaid public transit account may have an initial preset monetary values which is debited with each use of public transportation. To store and execute these applets, these smart cards have a built-in memory and processor. In order to ensure the security of the use rights on these smart cards, only the processor within the smart card may ordinarily alter the value of the use rights, and only after an authorization sequence has been successfully conducted. The network in which the smart card is being used does not have any direct access to the memory of the smart card nor to the use rights of any application.
There are generally two different types of smart cards, i.e., disposable smart cards and permanent, non-disposable smart cards. A disposable smart card may have a rudimentary semiconductor chip embedded within the smart card and may have a limited amount of memory and some hardwired logic. The disposable smart cards may have a predetermined initial amount of prepaid use rights or other value stored in the memory of the smart card established when the smart card is manufactured. The prepaid use rights are then depleted as the smart card is used. A prepaid phone card or a subway fare card are examples of disposable smart cards because these smart cards are thrown away after the prepaid use rights are depleted. These disposable smart cards are inexpensive because of the rudimentary semiconductor chip, but they have limited utility since their stored value cannot be replenished, and other applications cannot be installed on them. Due to the limited memory and processing power, these disposable smart cards also cannot execute sophisticated cryptographic algorithms, which means that these disposable smart cards are less secure.
The non-disposable, permanent smart cards may have a more complex semiconductor chip embedded within the card, and may have a programmable micro-controller and an expanded memory. The memory may store one or more applets that have separate predetermined amounts of use rights for different functions. Importantly, these permanent smart cards have use rights that may be replenished so that the permanent smart card need not be discarded once the use rights are depleted. Examples of these permanent smart cards include banking cards according to the Europay/Mastercard/Visa standard, and pay television access control cards. These permanent smart cards have more memory for storage of multiple applets and the use rights on the smart card may be separately and independently replenished. However, these permanent smart cards are also more expensive due to the additional memory and the microcontroller, and the replenishment can only be performed by the card issuer.
Initially, many companies issued disposable smart cards due to the lower initial investment. However, due to the security concerns of these disposable smart cards and the limited applications that may be run on these disposable cards, the current trend is to use permanent smart cards because several applications may be loaded onto a single permanent smart card. The permanent smart card is also more secure because more sophisticated cryptographic techniques may be used.
Most conventional permanent smart cards may have a memory unit that may include a read only memory (ROM), a random access memory (RAM), and a non-volatile memory (NVM). The NVM may be, for example, a flash memory such as a flash electrically erasable programmable read only memory (Flash EEPROM), or a EEPROM. These permanent smart cards receive all of their power from the terminal to which they are connected during use. As a consequence, the RAM, which is volatile memory, may be used only as a scratch pad memory for simple computations that do not need to be stored. The ROM, which is permanent, may store the operating system (OS) of the smart card and other programs which do not need to be updated or changed, such as certain permanent applets. The NVM may store certain applets and the use rights secrets or values associated with all applications in the smart card. These conventional permanent smart cards may have multiple applications that reside in the memory of the smart card.
Some conventional permanent smart cards have fixed application programs that are stored in the ROM at the time that the smart card is manufactured. These smart cards do not permit any applications to be stored in the NVM due to security concerns. The programs that are stored in the ROM cannot be altered. The applications for these ROM-based smart cards, however, take a great amount of time to develop because the application must be developed and then be hard wired into the ROM. In addition, these fixed applications are not changeable or removable.
To solve the problems of a fixed application in the ROM, some current smart cards permit applications to be stored in the NVM. However, handling of applications and their associated use rights in the NVM of the smart card poses several problems.
First, there is a security problem since access to the application within the NVM may also permit access, by a clever individual, to the other applications within the NVM unless carefully controlled. In addition, a clever person may figure out a way to replenish his use rights illegally as they are also stored in the NVM. This is an especially large problem for banks that want to issue debit or electronic purse cards since a person could replenish the money available on the smart card without debiting his bank account. For a bank, it is desirable that no one, but the bank have access to the use rights within the smart card. This means that the use rights of any applet on a smart card may only be replenished by the card issuer, such as the bank, which may be inconvenient. In addition, any other company with applets on that smart card must have a relationship with the card issuer.
Second, the replenishing of the use rights of an applet in the smart card may be slow because there must be a number of security procedures that must be followed when use rights are being changed. For example, there must be several authentication procedures to ensure that no illegal activities are occurring.
Third, since each type of application may have a different type of use rights in various different units, such as phone minutes in time units versus cash in monetary units, each different application will probably require a different use rights reload procedure. For example, a use rights reload procedure for phone minutes may not be able to replenish the cash of a debit account on a smart card. Thus, procedures that loads use rights into the smart card must be duplicated.
To limit access to these use right values, conventional permanent smart cards have done several different things. First, some conventional permanent smart cards have controlled the access to certain areas of memory, known as memory zones, so that these memory zones are write-once areas. Other conventional permanent smart cards use a data dictionary, which keeps track of the memory areas in which each of the application must reside. Thus, some sort a memory management system must constantly verify that none of the applications are doing illegal activities.
In summary, some conventional permanent smart cards do not allow any applications to reside in the NVM to reduce security risks. Other conventional permanent smart cards have systems for replenishing the use rights of an application contained on a smart card, but limit this capability to the issuer of the smart card, and require separate loading procedures for each applet. None of these conventional smart card systems provide a system for loading an entire application of any type, including the use rights, into the memory of a permanent smart card. Accordingly, conventional smart cards cannot store disposable applications, such as a prepaid telephone time applet, because there is no method for removing the disposable application once it is depleted or replacing the disposable applet with a new applet. Thus, in conventional smart cards, these depleted disposable applications would remain in the smart card taking up valuable memory space. For this reason, most permanent smart cards today do not have any ability to handle disposable applications.
Thus, there is a need for a system and method for universally reloading different types of use rights in multiple application smart cards which avoid these and other problems of known devices, and it is to this end that the present invention is directed.