This application is a 371 of PCT/IB99/00653 filed Apr. 14, 1999.
The invention concerns integrated circuit cards, such as smartcards, in general, and an automatic recovery scheme in particular.
Integrated circuit cards (ICCs), more widely known as smartcards, are small credit card size carriers containing electronics. The smartcard concept began in Europe prior to 1985, and is today being used in telephone systems, toll roads, game parlors, and personal computers, just to mention some applications.
In the following, the term integrated circuit card will be used, because ISO uses the term to encompass all those devices where an integrated circuit is contained within a card-size piece of plastic, or the like.
So far, ICCs have only been used in one of two ways. Either, the ICCs provide simple, more or less tamper-proof storage for small amounts of data, or they execute simple security-related operations like data signature, or encryption-based authentication, e.g. employing a challenge-response protocol. Some applications like pre-paid telephone or cinema cards, as well as health care cards storing personal data make use of the first property. ICCs in the second domain are used as secure tokens executing authentication procedures for example during computer system logon, or when opening appropriately equipped doors for access to a restricted area.
Typical ICCs supporting the above two modes of operation or use comprise a microprocessor (central processing unit, CPU), a read-only memory (ROM), a random-access memory (RAM), and some type of non-volatile, programmable memory, such as an EEPROM (electrically erasable programmable read only memory). In addition, an ICC usually comprises some kind of a bus (such as a serial bus) and I/O ports for interconnection to a card terminal and for communication with the outside world. Such a card terminal provides the necessary power, electric signaling at the hardware level, as well as the basic communication protocols at the software level to interact with the ICC. Two types of card terminals are available: The more expensive model physically locks the. ICC as a whole. Alternatively, and in order to reduce cost of card terminals, it is also very common to only provide a slot into which the user can insert and from which he can retract the ICC at will.
EP-A-0526 139 describes an integrated circuit card comprising a processor, volatile memory, non-volatile memory, power coupling means allowing external power to be supplied to the card, failure protection means maintaining power for a short period of time in case of a power supply failure, and a power-failure detector sensing a power supply failure. The power-failure detector triggers the transfer of information from the volatile memory to the non-volatile memory if a power supply failure is sensed, and the failure protection means provide power for this transfer.
WO96/36947 describes a technique for transaction recovery in a value transfer system.
Most ICCs comprise components in form of integrated circuits which are molded together on a flexible card (e.g. PVC or ABS). The dimension of these integrated circuits (ICs) is at most 25 mm2 (silicon die size). A typical ICC has a size of 85.6 mmxc3x9753.98 mmxc3x970.76 mm It is to be expected that the ICC""s integrated circuits shrink in size and that these ICCs become more and more powerful, taking advantage of advanced semiconductor technology.
The contents of the ROM type of memory is fixed and can not be changed once manufactured by the semiconductor company. This is a low cost memory, in that it occupies minimum space on the substrate. It is a disadvantage of a ROM that it cannot be changed and that it takes several months to be produced As opposed to this, an EEPROM is erasable by the user and can be rewritten many times, ROMs and EEPROMs are non volatile. In other words, when the power is removed they still retain their contents. A RAM is a volatile memory and as soon as the power is removed the data content is lost A RAM, however, has the advantage that it is much faster than ROMs and EEPROMs. On the other hand, a RAM is more expensive in terms of die size.
ICCs come in two forms, contact and contactless. The former is easy to identify because of its gold connector I/O ports. Although the ISO Standard (7816-2) defined eight contacts, only six are actually used to communicate with the outside world The contactless card may contain its own battery, particularly in the case of a xe2x80x9cSuper Smart Cardxe2x80x9d which has an integrated keyboard and LCD display. In genera; however, the operating power is supplied to the contactless card electronics by an inductive loop using low frequency electronic magnetic radiation. The communications signals may be transmitted in a similar way or can use capacitive coupling or even an optical connection.
Recent advances in chip design enabled the introduction of FlashRAM for non-volatile memory and 32-bit microprocessors on the same silicon estate. Thus, ICCs are getting powerful enough to host simple, but nonetheless fully functional applications, by far exceeding the simple read/write, respectively encrypt/decrypt routines as outlined above. For example, complex security-related operations like full-blown cryptographic or electronic commerce protocols could be run on the card itself and need no longer reside on a more insecure personal computer.
For most applications in the simple read/write, respectively encrypt/decrypt scenarios outlined above, power-loss by card retraction at any time does not create a serious problem. As an example for the first scenario, a telephone card""s credit/debit amount can always be stored into persistent memory on the ICC, before an action (i.e. a call) is taken. For the second usage type, recovery is even more easy. If an authentication cannot be completed, the card simply does not provide its service. In both cases, it is possible to find a way that no harm is done to the card""s functionality if the user retracts the ICC prematurely from the card terminal.
However, there are other kinds of nontrivial applications, where premature card extraction, or interruption of the inductive loop providing power to a contactless ICC using electronic magnetic radiation, might create a serious problem since it leads to the immediate loss of supply voltage. Due to this loss of supply voltage, all contents of the ICC""s RAM, and with it the whole transient application state is lost immediately and irrevocably. Such a loss of application state can possibly wreak havoc to a system not prepared to handle this type of event.
Currently, two main approaches for dealing with this problem are known, or under development for ICCs. According to the first approach, RAM is not used at all for any type of operation involving data that has to be kept permanent and consistent. Unfortunately, always using non-volatile memory has a couple of serious drawbacks. One is the extreme performance penalty that has to be paid as every memory write access is roughly 500 to thousand limes slower when using EEPROM or FlashRAM instead of RAM. An even more serious problem is the limitation on the amount of guaranteed write cycles (100000 times for EEPROM, 1000000 times for FlashRAM, respectively). In the new setting, where memory-intensive applications like cryptographic protocols may continuously access this memory, these figures can easily be reached within a couple of minutes. After this time, an ICC would simply cease to operate, or its reliability would be drastically reduced.
In order to address this problem, a second approach using the well-known transaction concept from database development has been adopted. This concept permits applications to use the ICC""s RAM, but the application developer has to ensure that critical data structures are always guarded by transaction xe2x80x98bracketsxe2x80x99. A transaction bracket is a code segment marked at the starting with a source code statement xe2x80x98transaction beginxe2x80x99 and at the end with either a xe2x80x98transaction commitxe2x80x99 (success), or a xe2x80x98transaction abortxe2x80x99 (failure). The semantics of these routines are well-known from database programming and are provided by the underlying runtime system of the ICC. Semantic integrity checks however are hard to provide automatically and thus always rest with the application programmer using transaction functions. Details on the transaction concept are given in xe2x80x9cThe transaction concept: Virtues and limitationsxe2x80x9d, J. N. Gray, Proc 7th International Conference on Very Large Database Systems, 1981, pp. 144-154. The main problems with this approach are twofold. For one, this type of programming is extremely error-prone. By omitting just one transaction on a crucial data structure, the whole application can behave inexplicably, and even worse, in case of application interaction as now possible on an ICC, other programs can be crashed as well, although they may have been programmed correctly. Secondly, transactions have to be programmed anew for every new application on any type of ICC. In combination with the huge numbers of delivered units, coding and testing have to be very thorough and are thus expensive.
It is an object of the present invention to provide an integrated circuit card that allows information to be automatically recovered after a failure of the external power supply.
It is another object of the present invention to provide a scheme for the storing and/or recovery of information in case of a failure of the power externally supplied to an integrated circuit card.
It is another object of the present invention to provide improved card terminals.
In accordance with the present invention, there is now provided integrated circuit card comprising: a processor, volatile memory; non-volatile memory; power coupling means allowing external power to be supplied to the card; failure protection means maintaining power for a short period of time in case of a power supply failure; and a power-failure detector sensing a power supply failure; wherein the power-failure detector triggers the transfer of information from the volatile memory to the non-volatile memory if a power supply failure is sensed, and the failure protection means provides power for this transfer; said card being characterized in that it further comprises means for setting a power supply failure indicator (PF) into said non-volatile memory if a power supply failure is sensed by said power-failure detector, in order to leave a trace that a power supply failure has occurred, the failure protection means providing the power for setting said indicator (PF).
Viewing the present invention from another aspect, there is now provided. Recovery means for use in an integrated circuit card comprising a processor, volatile memory, non-volatile memory, and power coupling means allowing external power to be supplied to the card, said recovery means comprising failure protection means supplying power to the integrated circuit card for a short period of time in case of a power supply failure, and a power-failure detector sensing a failure of the external power supplied to the integrated circuit card, wherein the power-failure detector triggers the transfer of information from the volatile memory to the non-volatile memory if a failure of the external power is sensed, and the failure protection means supply power to the integrated circuit card for this transfer, said recovery means being characterized in that it further comprises means for setting a power supply failure indicator (PF) into said non-volatile memory if a power supply failure is sensed by said power-failure detector, in order to leave a trace that a power supply failure has occurred, the failure protection means providing the power for setting said indicator (PF).
Viewing the present invention from yet another aspect, there is now provided Method for the protection of information being stored in a volatile memory of an integrated circuit card, said integrated circuit card further comprising a processor, non-volatile memory, and power coupling means allowing external power to be supplied to the card, said method comprising the following steps: detecting a failure of the external power supplied to the integrated circuit card, reading information from the volatile memory and transferring it to the non-volatile memory, writing the information into said non-volatile memory, setting a power supply failure indicator (PF) into said non-volatile memory in order to leave a trace that a power supply failure has occurred, and supplying power, provided by a failure protection means being part of the integrated circuit card, at least during the execution of the above steps.
The present invention concerns integrated circuit cards comprising a microprocessor, volatile memory (RAM), non-volatile memory (ROM, FROM), and power coupling means allowing external power to be supplied to the card. Cards, according to the present invention, comprise failure protection means maintaining power for a short period of time in case of a power supply failure, and a power-failure detector sensing a power supply failure. This power-failure detector triggers the transfer of information from the volatile memory to the non-volatile memory if a power supply failure is sensed. The failure protection means provide power for this transfer.
The present invention also concerns methods for the storing of information in a persistent memory if externally supplied power fails, and a method for the automatic recovery after such a failure.
The inventive approach allows ICCs to fully recover after a power failure without application intervention Computations can resume regardless of the duration of a power failure. The invention can be easily implemented in current and future ICCs. Further advantages are addressed in connection with the detailed description.