The present invention relates to a secure memory management method, in particular a method of managing a memory of a smart card communicating with a terminal. It could nevertheless be applied to any other type of memory. The invention is particularly beneficial when it is necessary to take care to preserve the memory capacity of the memory in order to manage the security of the memory. The main problem to be solved is the amount of memory occupied by the system used to protect the files.
The invention will be particularly described in the case of an application to a smart card. It is nevertheless entirely transposable to other fields. It is known in the art, in particular in the smart card art, to organize the security of a transaction between an operating system and files in accordance with various modes. These modes are discussed in detail later. For the moment it may be assumed that there are secret codes, authentication and security message protection modes. There are also several types of processing to which the files can be subjected. Essentially their contents can be read. Their contents can also be written and erased. It is also possible to envisage the creation or the deletion of a file. An entire file can also be invalidated, after which it can be rehabilitated. In electronic purse applications, in which the file represents an amount of money, amounts of money can be debited or credited. Other functions can be provided in addition to the above seven functions. Accordingly, if debit or credit operations are envisaged in a smart card purse application, a balance reading function can be provided that consolidates all previous debit and credit operations to establish a balance. A debit ceiling can also be applied whereby a debit is authorised only if it is below a ceiling.
The remainder of this description is limited to three security modes and to seven functions which can lead to modification of files. This is in order to clarify the explanation and because the description corresponds to a preferred use which is also the one most frequently employed.
In the prior art, during the development of an operating system, or more generally of a memory management system, each file is associated with a file descriptor. Before operating on a file, the operating system or the management system reads the content of the descriptor and limits its actions in accordance with constraints imposed by the file descriptor. In the field of microcomputers, the management system is made up of a set of programs. In the field of smart cards, the corresponding operating system is implemented in hardware to prevent a hacker, by changing its nature, changing the whole of the protection mode that has been constructed.
During the development of an operating system, the number of memory words that a file descriptor must contain to cover all eventualities is high because each file can be protected in each of the intended modes (there are three modes in this example) for each of the intended functions (there are seven functions in this example). In this example, the number of memory words required is 21 (3xc3x977). Given that a smart card can hold up to twenty files, a large number of memory words is needed to constitute the general descriptor. In this example it would be 420. If one byte is allocated to each memory word, with a memory size of the order of 1 kilobyte it would be necessary to allocate almost half the memory to the file descriptor. That is much too much.
Each element of information stored in a smart card is a file, whether it is a secret code, a credit, a debit, a card identity, a card serial number, etc. The problem of minimising the size of the descriptors is particularly acute in the field of smart cards because the physical dimensions of the microchip increase as the size of the memory increases. Being incorporated into a card, a microchip is subject to mechanical stresses by the cardholder. It can be folded and bent many times. The microchip can eventually break. The bigger the microchip, the more easily it breaks. Also, the cost of the component is increased and likewise the cost of incorporating it into the card.
The object of the invention is to remedy the excessive amount of memory occupied by the file descriptors, which is particularly beneficial in the field of smart cards. It is still beneficial whenever it is a matter of reducing space occupied unnecessarily, however.
To solve the above problems, it has been envisaged in the prior art to design fixed operating systems, i.e. operating systems dedicated to a given application. The disadvantage of this approach is that, once decided on, the solution cannot subsequently be altered. If anything has to be modified, then the entire operating system has to be rebuilt. On the other hand, providing users with a flexible operating system runs up against the problem of the amount of memory occupied by descriptors.
The invention aims to remedy this memory occupation problem by exploiting the fact that, although some files require precise security modes for some operations, others do not require any at all. The invention exploits this fact to constitute descriptors which occupy varying amounts of memory. It is shown that the method of the invention achieves a space saving of at least 50% and in most cases of at least 80%.
The invention divides the descriptor into two parts. A first part is reserved for the security modes. It is of fixed length. Its memory occupation expressed as a number of mode memory words is proportional to the number of modes envisaged. A second part concerns function memory words. The function memory words are present in the second part only if they are invoked in the first part.
The invention therefore provides a secure method of managing a memory in which:
files in the memory are allocated file descriptors,
said file descriptors include information on security modes needed to apply processing functions to data stored in the files, and
the security of the files in the memory is managed in accordance with the content of said file descriptors, characterised in that:
the security modes are divided into M different types and the functions are divided into N different types,
a first group of M mode memory words is created in the descriptor of each file, the length in bits of the mode memory words being at least equal to the number N of different types of functions,
the functions are stored in a particular order, the positions of the bits in the mode memory words conforming to that order, and
the bits of the mode memory words are rendered active or inactive according to whether a security mode must or must not be applied on application of a function to a file to which a descriptor relates.