The invention relates to a data exchange system comprising multiple data processing units of which some, which are portable establish a temporary communication link and of which others, which are not mobile may have a permanent communication link. The processing units comprise data communication means, processing means and memory means, the later comprising an executive program.
Such a system is known from the international patent application WO-A-87/07063 in which a system for a portable data carrier having multiple application files is described. One of the most important applications of such a portable data carrier is a smart card suitable for multiple applications. The known data carrier is described as a carrier of hierarchically structured data with security features to support multiple applications on the same data carrier. Applications are seen as sets of data. The patent application describes an implementation of an hierarchical file system on a data carrier to store alterable data in combination with an hierarchic set of access permissions. The data carrier responds to a set of common commands. File access permissions are distinct for different operations and granted in dependence on password verification. A password verification attempt counter is introduced as well as the provision of destruction of stored data as sanction against too many attempts of access. The known data carrier is presented primarily as a storage device and not as a processor. Only very simple functions may be performed by the executive program such as binary logic operation. It is not possible to allow the performance of an unspecified set of operations on request of a terminal communicating with the data carrier. The only security option is the introduction of password verification. No other access condition verifications are possible within the known system. Besides, each application of the data carrier has its own file within the memory means of the data carrier. No special measures are taken to enhance the efficiency of the available memory space which, especially on smart cards, is very restrictive and therefore sets limits to the number of possible applications.
EP-A-0,479,655 relates to the implementation of access condition checks in smart cards. One specification technique for that is disclosed, however, it is desirable to provide for measures to include the possibility of other access condition verifications.
EP-A-0,361,491 relates to a chip card programming system to allow protected (re)programming of cards. It describes the use of write-once-access conditions to control access of parts of the programmable memory to be programmed. In this way the number of applications on a single card can be extended. Verification of the access conditions with a variety of techniques including cryptographic protocols is described.
EP-A-0,292,248 relates to loading of applications on a smart card using an unalterable operating system program. It includes the implementation of a data access condition enforcement method using memory zones with assigned access attributes. Specific access conditions are xe2x80x9cwrite-oncexe2x80x9d (which is only described implicitly) and xe2x80x9cexecute-onlyxe2x80x9d.
U.S. Pat. No. 4,874,935 relates to card programming using a data dictionary where the data dictionary describes the layout of data elements stored in the card""s memory. Data dictionaries are commonly understood to differ from directories in that they not only describe data actually stored, but also data which will be stored later. In addition, data dictionaries usually include a description of the data format. In compiled format data dictionaries are used in database management systems where they are stored on the hard disc as part of the database. They are also found in the object load files resulting from program compilation in software development environments. However, the patent does not claim a representation of data dictionaries particularly suited for smart cards.
EP 0 466 969 A1 relates to providing functions in the smart card executive program to support the correct conduction of a sequence of messages between smart card and terminal by reserving part of the memory of the card as storage of state information and providing specific means to implement a state engine controlling state transitions. Such state information being crucial in determining actions to perform on reception of messages. State engines accepting a variable sequence of messages are well known from computer language compiler design and computational complexity theory. The patent does not address the possibility to implement varied sets of possible actions specific to a number of possible applications which may reside simultaneously in the smart card.
The main objective of the present invention is to present means to formally, precisely and uniquely describe a system consisting of trusted processing units in the way these processing units will behave when engaged in communication amongst themselves where such communication is intended to transfer value or other trusted information. Such comprehensive descriptions of the possible modes of communication between the data processing units being applicable both to the system as a whole and the detailed operations of the individual processing devices. Such formal description providing the basis for formal reasoning in the verification of correctness of implementations, which will be required for acceptance of systems intended for world wide deployment.
A further object of the present invention is to present means to cope optimally with the restrictions imposed by limited physical dimensions of available memory space on portable data processing units, especially smart cards.
A further object of the present invention is to offer a more general mechanism of protected loading of program codes and to allow such a loading for multiple programs each for one application of each portable data processing unit.
Moreover, the present invention is directed to the provision of the use of access condition verifications not prescribed by the manufacturer of the portable processing unit but chosen by the application designer to suit his particular needs.
Further more the present invention is directed to provide a mechanism to protect the communication between processing units such that the content and orderly sequence can not be disrupted by any intervening or mediating devices.
Therefore the system according to the invention is characterized in that the memory means of the totality of the processing units further comprises descriptions of the possible modes of communication between the data processing units as xe2x80x9cinteraction contextsxe2x80x9d which contain descriptive data structured in accordance with the following data structure:
a. a set of basic distinct communication primitives which are accepted whenever one of the data processing unit communicates with one or more of the other units;
b. a set of procedural descriptions defining the actions to be performed in response to the accepted communication primitives;
c. a set of data elements either permanently stored or computed, which are available for use when the procedures as defined in the procedural descriptions are performed;
d. a set of references to data elements which references are associated to the procedural descriptions, said data elements are accessible to possibly further interaction contexts and are available for use when procedures as defined the procedural descriptions are performed;
e. a, possibly empty, data list comprising a possibly ordered set of references to data elements which are available for explicit reference as part of a communication primitive to be used by the procedural descriptions associated with the communication primitives;
f. a set of access conditions associated to the data elements which are consulted in association to the data elements which are referenced in association to the procedural descriptions;
g. a set of access conditions associated to the list of data references in the data list.
By organizing the description of the system of communicating trusted processing units in this strict framework its operations as far the conditions and effects of possible communications between the devices is completely and exhaustively described. Augmented with formally precise semantic definitions of the structure elements the data becomes amenable for formal reasoning and therefore the implementation of the system becomes better amenable for formal review of correctness. For this purpose it is not necessary that all data resides in all memory means of the individual processing units. It is sufficient that such data is loaded into a processing unit prior to it being used. The secured loading of such data is included in the current invention.
In a first preferred embodiment the individual processing units in the data exchange system described as above are characterised in that the memory means of the processing unit further comprises at least one interaction context containing the following coherent data structure:
a. a set of basic distinct communication primitives which are accepted whenever one of the data processing unit communicates with one or more of the other units;
b. a set of procedural descriptions defining the actions to be performed in response to the accepted communication primitives;
c. a, possibly empty, set of data elements either permanently stored or computed, which are available for use when the procedures as defined in the procedural descriptions are performed;
d. a, possibly empty, set of references to data elements which references are associated to the procedural descriptions, said data elements are accessible to possibly further interaction contexts and are available for use when procedures as defined the procedural descriptions are performed;
e. a, possibly empty, data list comprising a possibly ordered set of references to data elements which are available for explicit reference as part of a communication primitive to be used by the procedural descriptions associated with the communication primitives;
f. a set of access conditions associated to the data elements which are consulted in association to the data elements which are referenced in association to the procedural descriptions;
g. a set of access conditions associated to the list of data references in the data list;
h. wherein a data unit contains more than one interaction context at least one of the communication primitives it accepts will be to selectively indicate one of the said interaction contexts for further referral in the processing unit accepting the communication primitive.
By defining data within the memory means of the portable processing unit in such a way the processing unit is really organised as a processor, i.e. it not only allows adding and subtracting but it performs processes which may be loaded in the processing unit by persons authorized to do so, e.g. a staff member of a bank. By providing procedures which may provide arbitrary complex operations in response to received commands and providing an explicit list of stored data elements which are addressable as part of such commands the communication bandwidth can be optimally used; resulting in a reduced number of commands exchanged. With a system according to the invention many actual uses of the system will but require the exchange of two commands. The only thing that is fixed is the structure within the memory means which is defined in such a way that several applications of the unit may be added in a very efficient way, i.e. by using as little additional memory space as possible. This is especially of prime importance if the unit is a smart card which is severely limited as regards available memory space. Besides, the structure according to the invention offers all possibilities to include security measures in order to inhibit unauthorized people from access to processes or data that they are not entitled to use.
An advantageous embodiment of the invention can be realised if the processing unit which contains multiple interaction contexts is further characterized in that the set of the procedural descriptions at least comprises a first procedural description to be performed in response to the communication primitive, or primitives, which indicate one of the said interaction contexts for further referral in the processing unit accepting the communication primitive, such performance resulting in a proper activation of the indicated interaction context. The description of this context activating procedure can with benefit be used to define the security requirements associated with selecting the context and to perform initialisation of- any security and operational data in the volatile part of the memory means. Further advantage can be obtained with processing units which contain multiple interaction contexts as characterized in that the set of the procedural descriptions at least comprises a last procedural description to be performed in response to the communication primitive, or primitives, which indicate one of the said interaction contexts for further referral in the processing unit accepting the communication primitive, such performance resulting in a proper deactivation of the interaction context which was indicated while the communication primitive was received. This deactivation procedure gives control to the application which is about to be superseded by reception of the communication primitive. This gives the designer of applications an opportunity to perform clean up the memory content and round off operations when the application is aborted which may be unexpected.
In a further preferred embodiment the data exchange system defined above is characterized in that the memory means further comprises at least two interaction contexts, at least one application description and a memory element storing a reference to the interaction context currently being in force, each application description comprising:
a. a data list comprising references to data elements, which references may be accessible to two or more interaction contexts and may be extended by additional data elements;
b. a further set of access conditions associated to said references or to said additional data elements and defining restrictions of use.
By these measures all references to data elements which are common to different interaction contexts are accessible for all those interaction contexts, so they only need be stored once saving memory space. Also common access conditions to said data references are accessible to predetermined interaction contexts. Therefore, also these common access conditions need only be stored once thereby saving memory space and enhancing efficiency.
Each application description may also comprise a procedure library comprising codes which can be used by procedural descriptions of each interaction context associated to each of said application descriptions.
Preferably, the processing unit is suitable for at least two applications with use of little additional memory space. To obtain this object the data exchange system according to the invention is characterized in that the memory means comprises at least two application descriptions and units of executable code which can be used by procedural descriptions of each interaction context within each application description or by each unit of executable code of each procedure library within each application description.
Preferably, the units of executable code in the procedure library are enhanced by including a specification of the use of their operational parameters into classes relating to attributes pertaining to data elements which can be passed as actual value in a computation, which computation only proceeds if the data attributes and parameter classes match. This is an efficient way of verification of access conditions both on data level and on function level for which a very efficient implementation exists.
More reliability of the system is offered if the data exchange system according to the invention is characterized in that the executive program comprises a reference to a default interaction context which is used to initialise the memory element storing a reference to the interaction context currently being in force, in order to carry out a final action after a detection of an internal inconsistency in a recovery to a normal state of operation or whenever the executive program is active and no explicit interaction context has been specified by a communication primitive received from a similar data processing unit.
In order to further improve the compactness of implementation of procedural descriptions, procedure libraries, code fragments and the executive program, the data exchange system according to the invention may be characterized in that the executive program comprises routines constituting an interpreter for coded instructions for an abstract processor, such that the majority of procedural descriptions and some of the units of executable code are coded in numeric values for interpretation by said interpreter routines. In addition the abstract code interpreter provided by the executive program aids in formally verifying correctness of the implemented functions as the use of an abstractly designed instruction set and a small number of small implementing routines may make such verification better amenable to formal methods of reasoning and proof generating.
With further advantage with respect to compactness of storage of the interaction context descriptions and application descriptors the data exchange system according to the invention may be characterized in that the procedural descriptions are encoded as indexes in a list over a sub set of procedures contained in the library of procedures comprising units of executable code. Specifically in the context of the current invention these dispatch tables can be deploy with advantage as the number of distinct procedural descriptions by nature of the data structure will in general be very small, e.g. less than 16 such that the system may further be characterised in that the encoding of the procedural descriptions is in such small values that more than one description can be held in a basic unit of access for the memory means or that the description can be combined with other relevant information in the same basis unit of memory access. To address the rarely expected case where the number of procedural descriptions within a single interaction context is more than the encoding space directly allows for, a system implemented according to the current invention can with benefit use an additional level of indirect reference such that it can be characterized in that at least one of the encoding values of the procedural descriptions refers to a special function of the executive program that is designed to select by indirection the actual function to perform for the encoded procedural description possibly by incorporating additional coding information stored in association with the procedural description encoded with said special values. Such additional compactness of storage of the data in the execution context data structure will be beneficial specially when considering that the memory means will in general be required to hold a considerable number of different application and context descriptions.
In order to enhance the security of data and functions within the processing unit the data exchange system according to the invention may be characterized in that the memory means comprises an interaction context dedicated to comprise Personal Identification Numbers and that the executive program is arranged to verify Personal Identification Numbers supplied by a user of the data exchange system.
Advantageously the Personal Identification Number management interaction context and the default context can be implemented as part of the same device holder application. Support of this application by most devices with which a device according to the invention communicates would give the device owner the opportunity to review his personal data as stored in the device memory, for instance a smart card holder could be allowed to modify his PIN at any smart card terminal which provides an appropriate user interface.
Advantageous versatility in choice of the cryptographic protection methods to be used for loading the memory means with data describing the interaction contexts and the applications can be offered in a data exchange system according to the invention characterized in that the memory means comprises at least one interaction context dedicated to manage the number and content of other interaction contexts also contained in said memory means. Offering such versatility with different levels of security and operational complexity may be required by the market in portable processing unit for loading different applications on the same card as well as to establish a choice of distinct product for issuing organisations which are all built according to the same basic application infra structure, such as provided by the invention. Currently, solutions to this problem rarely exist and are commonly based on proprietary special functions implemented as integral part of the executive program, offering neither a uniform method nor a range of options.
Each application description may comprise a list of numeric values which is constructed to provide identifiers for all interaction contexts and comprises at least one of the following numeric values, a first indicating an application type, a second numeric value indicating a unique identification of the entity providing the application, a third numeric value indicating the nature of the application description and further numbers each uniquely referring to one interaction context associated with the application description.
The string of numeric values uniquely referring to an interaction context provides a means of establishing interoperability between two communicating devices which is more efficient than is currently envisaged for e.g. smart cards in relegating to the application providing entity the responsibility to assign unique values to each interaction context while leaving assignment of unique numbers to entities and application to relevant bodies of sectoral and international co-operation respectively. With benefit the application providing entity can assign the unique context numbers to incorporate implementation version and secret key generation information.
A data system in accordance with the current invention can be implemented such that it is characterised in that data communication means may be arranged to structure data exchange in blocks of data comprising at least two parts, a first part being data qualified as operational in that it is used to influence the nature of the operations performed by a command as indicated by a communication primitive or data resulting from operations carried out, a second part being qualified as security in that it is used to determine the appropriateness of performing an operation or of the acceptability of data within the operational part, to be used in the operation or to proof completion of the operation or correctness of the resulting data. Such appropriateness, acceptability, proof and correctness being obtained by performing relevant cryptographic operations on the data.
Such structure of messages in the data exchange and the order of cryptographic computations before and after the performing the operational definition proper this entails provides a mechanism for protection against in-the-middle attacks on protocols of data exchange. In particular it can be used to obviate the need for explicitly maintained security state in the memory means of each of the processing units as it allows as cryptographically encoded state information be exchanged in each message being contained in the part designated for security: verifying the cryptographic condition securely initializes the state variable which will need to be stored in the memory means only till the response message is sent and no longer, reducing the time such state information is exposed to attempts at tampering. Finally, this structure of messages allows a more liberal use of end-to-end security in which security in the communication does nor depend on any intervening or mediating devices.
Authentication and data protection are thus made an integral part of the command execution providing better security than obtainable in current systems e.g. smart cards.
The executive program may be arranged to perform, upon accepting a communication primitive to perform operations specified in the current interaction context, each operation as part of a predetermined and fixed sequence of actions each of which is specified separately as part of a procedural description associated to the accepted communication primitive, which procedural description at least comprises distinct descriptions, any of which may be void, for the following actions:
a. authorization of the use of the communication primitive;
b. decryption of operational data or any part of it;
c. performing a command with input data;
d. encryption of any operational data resulting from any operation performed;
e. computation of a proof of completion of any performed action or of correctness of the resulting data to be used in security computations.
Security is further enhanced if the data processing unit generates a random transaction number upon initializing data transfer, which serves as basis for cryptographic computations.
To provide for a possibility to enter a new interaction context if required one communication primitive may be assigned a specified value which will always be interpreted as a request to enter a new interaction context.
In a further preferred embodiment the data exchange system according to the invention is characterized in that it comprises a further data processing unit comprising the same elements as the data processing unit which might optionally contain in its memory an application programmers interface which consists of program code designed to allow additional computer programs to be implemented to give users control over the sequence of exchanged communication primitives or to influence the data transferred in them or to learn or further process the data received in the exchange.
In such a preferred embodiment of the invention the communication primitive used to enter a specified interaction context may comprise numeric values to be used in security calculations in subsequent communications, a first value generated randomly or of similarly unique nature by one of the processing units and possibly a second value serving to proof the authenticity of said one processing unit or to otherwise identify said one processing unit.
To further benefit from the current invention, each communication primitive may further be structured to consist of two or more numeric values which enhance the expressive power of the communication primitive for interpretation by the executive program.
As a first alternative, each communication primitive except a first one signalling a reset may be composed of two or more numeric values, a first value being used to refer to a procedural description of an action associated to the communication primitive, a second value being composed of a fixed number of binary values each of which is interpreted by the executive program as a reference to a single data element.
As a second alternative, each communication primitive except a first one signalling a reset may be composed of two or more numeric values, a first value being used to refer to a procedural description of an action associated to the communication primitive, a second value being used to determine which of the data elements available for external reference in an active interaction context will be used while performing responding actions in such a way that any data element is selected if it contains a value that matches said second value or if it contains a value that is otherwise sufficient to indicate it.
As a third alternative, each communication primitive except a first one signalling a reset is composed of two or more numeric values, a first value being used to refer to a procedural description of an action associated to the communication primitive, a second value being composed of a number of binary values which are assigned specific meanings by the executive program to be used in interpreting data formats in the communication primitive and in performing responding actions.
The abovementioned portable processing units may be implemented in smart cards or in PCMCIA cards.
In a further elaboration of the invention the communication means utilizes external communication means to establish a data link such external communication means as are made available to the data processing unit by the data processing unit, or similar such electronic device hosting the PCMCIA or smart card which implements the data processing unit.
In an alternative of the invention the data processing unit is implemented as portable personal computer.
The communication means may utilize a smart card reader or a PCMCIA card slot.
Furthermore, the communication means may primarily or additionally utilize non contact data transfer with electromagnetic fields c.q. particles.
The context mechanism defined above and the techniques it makes available leads to a wider range of smart card use and an approach of smart card application development which have a number of advantages over the traditional ways.
First of all, it allows the execution of application specific program code in a smart card without the need to thoroughly examine the code for potential threats to the security of data stored for other applications. As the access conditions which are stored with the data on the card are enforced by the card operating system without possibility of outside interference during execution of application code, a multi application card scheme does not need a program code vetting authority. Such authority is the only way to allow a private code execution facility in traditional smart cards. By approving code for execution on a card a vetting authority incurs liabilities with respect to the overall system security; it makes the management of multi application smart card schemes much more complex. The associated complexity and costs make application specific code in traditional card schemes almost infeasible. With the new technique the demand for this facility from smart card application providers which has been there for some time can be met.
Secondly, as direct consequence of protected application specific programs in cards a specific application can be implemented that is dedicated to load other applications in the card. In this way, the applications once loaded in a card can be protected from the very application that loaded them. This protection gives parties involved in a multi application card scheme especially the card issuing entity and the application providing entities a basis for their business agreement. Being based on tangible thins as the amount of storage needed on each card, the number of cards to be equipped and the duration of the application on the card instead of an abstract notion of xe2x80x9ctrustxe2x80x9d and xe2x80x9cgood carexe2x80x9d the application providers contract is easier to formulate than in traditionally implemented smart cards. Moreover, the card issuer and application provider do not need to share secret keys and protect this sharing with contractual obligations and mutually agreed key transportation facilities.
Thirdly, the application software if implemented based on the new technique has several benefits compared with prior art smart card operating systems:
A minimal exchange of date between a terminal and a card is needed to establish interoperability between card and terminal, e.g. they support the same application(s). Values of data to be exchanged can be structured as proposed in the draft international standard ISO 7816-5;
To complete a transaction between card and terminal the minimal number of data exchanges as theoretically inferred can actually be used, because the transaction is completed as a private computation, instead of the necessity to use a lengthy sequence of standard commands;
It allows controlled access to data without requiring an involved access path dictated by a directory and file hierarchy shared by all applications as currently in use and proposed for standardisation;
It allows the development if the terminal and smart card application in tandem, which development process can be supported with computer software tools such as compilers and emulators. Design and implementation of card and terminal software can thus be lifted above the tedious and error prone assembly language coding currently required;
It allows standardization of equipment, both cards and terminals, using an abstract formalism to describe the device capabilities which gives flexibility towards future developments, such as new features offered by card or terminal manufacturers. The standardized terminal capability could include an API. In contrast current standardization efforts in smart cards concentrates on prescribing fixed data contents of messages to provide identification values to be interpreted in a way as determined by the standard, which leaves little room for new developments.
Finally, with the new technique implementors of smart card operating systems are given great freedom of designing optimal implementations of the card""s operating system kernel and terminal operating system. Smart card hardware designers are given several options to optimize chip silicon use with hardware support for basic operation included in the system kernel. Hardware cost reduction obtained starting with the specialized design defined above can be greater than when based in improvements on general purpose single chip computers.