The invention relates to the microcircuit cards generally known as chip cards.
Present-day chip cards are becoming increasingly sophisticated and now often have a microprocessor so that the card can work under the control of instruction programs incorporated into the card.
The instruction programs comprise, firstly, the general programs of an operating system and, secondly, application programs. The operating system essentially defines the internal working of the card and the communication protocols with the exterior. The application programs use the possibilities of the operating system to make the card perform tasks that depend on the application envisaged: for example an application pertaining to a money transaction will use application programs devised by a bank; another bank could prepare different application programs using the same cards and the same operating system. A distributor of services (such as telephone services, etc.) could devise its own application programs, again using the same operating system.
The life cycle of a chip card can be generally divided into major steps, namely:
1. Manufacture and pre-customizing PA1 2. Customizing PA1 3. Use. PA1 the first indicator is capable of being changed from a first value to a second value during the passage of the card from a first state to a second state; PA1 for this second value, the first indicator prohibits certain functions of the card which were permitted for the first state of the card; PA1 the first indicator may be reset, under the control of the second indicator, at its first value where it again permits said functions; PA1 the second state indicator is capable of being set at the first value where it permits the return of the first indicator to its first value or to a second value where it prohibits this return; PA1 the first indicator is reset at its first value under the control of a return instruction applied to the card, provided that the second indicator does not have its second value; PA1 and the application of an erroneous instruction places the second indicator at its second value prohibiting the return of the first indicator to its first value.
At each of these steps, the card has a different owner and different functions. The owner in the step 1 is generally the manufacturer of the card, in the step 2, it is provider of a service and in the step 3 it is the final user of the services of the provider.
During manufacture, the manufacturer pre-customizes the card in an operation that consists in the recording, in the card, of the data elements that are specific to his customer who is the provider of services.
Then, the provider of services receives the card and records therein application programs and customizing data relating to his client who is the final user.
Finally, the ultimate user uses the card to obtain the services for which the card has been defined and programmed.
The steps 1 and 2 are those used by the manufacturer and the provider of services to define an operational configuration of the card. To achieve this configuration, the manufacturer and the provider of services use powerful memory write and read commands to which the final user will absolutely have no access. And the manufacturer may use commands that are more powerful than those used by the provider of services.
This term "more powerful command" may mean, for example, that the manufacturer has access in read and write mode to absolutely all the non-volatile memory zones of the card. The provider of the service will not have access to certain zones such as those identifying solely the provider of services for the needs for which the card has been manufactured. Nor will it have access to program zones that the manufacturer considers to be confidential. And the user will not have access to certain program and data zones that the provider of services considers to be confidential or to zones used to ensure the security of transactions against fraud.
During the passage from one step to another, the owner at the step considered implements measures for the passage to the next step that generally comprise an irreversible prohibition of a return to the previous step. These measures may include, for example, the irreversible breakdown of physical fuses or logic fuses (non-volatile memory cells that are programmable only once) to prohibit access to memory zones. The manufacturer may blow fuses and the provider of services may blow other fuses.
One problem that is increasingly being encountered relates to the growing complexity of the programs loaded into chip cards and the growing increase in the quantities of data stored in memory cards.
It is thus increasingly difficult to devise application programs. As a result, unexpected malfunctioning may occur despite the very thorough checks performed during the devising of these programs. The operating system itself is becoming increasingly more sophisticated and is not safe against unexpected malfunctioning.
These malfunctions occur during the use of the card by the ultimate users whether in a context of abnormal use of the card or even normal use.
However, at the final step of use, there is no longer access to certain memory zones whose examination could however be indispensable to detecting the source of the problem and to helping in its resolution. Since all that is available is the symptom of malfunctioning perceived by the user who can no longer use his card normally, it is very difficult to trace the cause order to overcome it. The cause may be technological or software-related.
The result thereof for the manufacturer and possibly also for the provider of services is a loss of valuable information that could be used to devise an entirely satisfactory product.
The invention proposes an approach to improve the quality of products by facilitating the search for the causes of the malfunctions observed.
The following is the approach according to the invention: the card has a first state indicator defining the step of the life cycle in which the card is located. Another state indicator defines the right to return to the previous step. A command to return to the previous step enables the state of the first indicator to be modified. This command, which can be performed by the operating system of the card, cannot be used except for a determined state of the second indicator. The change in state of the second indicator permanently prohibits the use of the return command.
Preferably, an incorrect use of the return command places the second indicator in a state that permanently prohibits the use of the command. The command to return has, to this effect, parameters that must meet certain criteria (verified by the operating system of the card) so that the command is considered to be correct.
Preferably again, the parameters of the command bring into play the result of an enciphering algorithm that makes use of secret and/or public data. These parameters are computed by the card reader to send out the correct command. The command is received by the card which checks the parameters sent and prohibits the use (and any future use) of the command to return if there is any divergence between the parameters received and the parameters computed.
Thus, the card undergoes a life cycle in which there is introduced an additional step that may be called a qualification step, between the customizing step and the step of use, wherein the card can be used but wherein the possibility of checking the confidential data of the card in the event of a problem is temporarily preserved. This possibility is controlled by means of the use of secret codes and enciphering algorithms so that it is not accessible to the final user and so that it is reserved rather for the manufacturer (if necessary for the provider of the surface).