The natural tendency is preferably to trust equipment particularly armoured against various intrusions or attacks. This can be achieved at various levels. At the level of the physical constitution of the equipment, this can be in a tamper-proof box, resistant to intrusion (tamper resistant), or leaving a visible trace of any attempt at sabotage (tamper evidence), or affording a response adapted to a detection of intrusion (tamper responsive). At the level of the functional constitution, the sensitive data are generally enciphered and their processing is subject to cryptographic protocols. A correct degree of security is obtained by using solely electronic circuits etched in the mass. A minimum of precautions is to be taken if it is wished to improve the flexibility of use of the equipment. It is normally preferred to use software components able to be used by means of secure operating systems inaccessible to third parties.
The flexibility of use offered by the equipment disclosed above remains limited. In a world containing a vast amount of various items of electronic equipment such as mobile telephones, personal assistants or microcomputers, a comparable need for flexibility is felt for equipment intended to be used for performing actions that involve or relate to objects of a confidential nature. It is known that the operating systems commonly referred to as open because of their wide distribution offer an appreciable abundance of useful and user-friendly applications that it would be advantageous to be able to use to satisfy this requirement. This opening up to other software applications than those strictly protected have the drawback of putting security in jeopardy. Thus a malevolent application or one contaminated by malevolent execution sequences could spy on and betray the security processes of the equipment.
There exist solutions that consist of systematically authorizing only duly signed applications, to be executed in the equipment. The well known mechanism of signatures generally involves certificates checked by trustworthy bodies to guarantee the integrity of the signed application. This type of solution in fact restricts the quality of opening up of the operating system preventing also execution of applications that are not necessarily malevolent and that it would be agreeable not to be deprived of.
There also exist solutions that consist of making the equipment function in two different modes, a completely open mode and a secure mode that is reserved for security applications such as those for performing actions that involve or relate to objects of a confidential nature.
The use of an open operating system is generally accompanied by that of a graphical screen for displaying various items of information. Such a screen offers a possibility of particularly expressive display of the mode, secure or otherwise, in which the equipment is situated. In order to inform a user of the equipment of the active mode, an indicator light would have the drawback of having to educate the user on the attention to be paid to this indicator light and on the interpretation to give to it in order to distinguish open mode from secure mode. It may also be thought of displaying a pictogram, associated or not with a text in the language of the user. However, such a type of display poses a problem of compatibility, in terms of security, with an opening offered to any application. In open operating mode of the terminal, a malevolent application could corrupt the display so as to deceive the user by displaying a secure mode in which the terminal is not situated. An absence of certainty about the mode in which the terminal is situated presents a considerable drawback.
It would be possible to think of using two screens, one for open mode and one for secure mode. Apart from the drawbacks caused in terms of costs and size, this solution would require the user to survey two different screens. This solution would also be vulnerable to certain attacks consisting of putting a shield on the screen allocated to secure mode so as to deceive an uninformed user by displaying a false secure mode on the screen attributed to open mode.