The present invention relates to a method of securely modifying data on a smart card. More specifically, the present invention relates to a method of securely loading or deleting data, and creating and deleting data structures, on a smart card, which method is also applicable in environments where so-called challenge--signed response authentications are not possible. The data concerned may comprise either executable (program) data, i.e. commands, or static (non-program) data, or both. The so-called static data may comprise file structures and/or data structures.
In modern payment systems, the use of electronic payment means becomes increasingly important. Electronic payment means, such as memory cards and smart cards (generally called IC cards), are gaining acceptance as their applications are expanded. In many countries electronic cards are being used for public telephones and the like. Advanced cards are capable of containing electronic "purses", in addition to other functionalities. Such advanced payment means contain, in addition to a memory, a processor capable of running suitable programs.
It should be noted that in this text, the terms smart card or card will be used to denote electronic payment means having at least one integrated electronic circuit comprising a processor and a memory. The actual shape of a so-called smart card is not of importance.
The programs running on the processor of a smart card determine the services offered by the card, that is, the functions and associated data structures (e.g. purse, user identification, loyalty program) of the smart card depend on the software present in the card. As time passes, the need often arises to update the programs of the card, for example in order to add a new function or to improve an existing function. To this end, the card should be able to accept new programs which may replace other programs. However, it must be ascertained that the newly loaded programs are valid. Authentication of programs can relatively easily be accomplished by using a secure data exchange protocol where data are exchanged between a card and a secure terminal (having, for instance, a so-called security module in which keys and other data are securely stored). Such a secure protocol may comprise a challenge-signed response protocol. Examples of protocols for exchanging data between a smart card and a terminal are disclosed in e.g. U.S. Pat. No. 5,161,231 and European Patent Application 0,559,205 (corresponding with U.S. Pat. No. 5,369,760), which are incorporated by reference in this text.
However, in case a secure terminal is not present, such a secure protocol involving e.g. a challenge-signed response cannot be used, as the security of such a protocol depends on the trustworthiness of the terminal.