The present invention relates to a microcircuit for a chip card, comprising inter alia input/output access means, at least one memory which is programmable and accessible via an addressing space with consecutive addresses, an addressing control circuit for said programmable memory which dictates either an inhibition or a validation of write and/or read commands by comparison of the requested address with two limit values in respect of the beginning and the end of a particular address region, which limits are stored within the addressing control circuit, said circuit also comprising a priority authorization channel enabling temporary cancellation of said inhibition in predetermined, specific circumstances.
A microcircuit of this kind is notably known from the document FR 2 304 989, corresponding to U.S. Pat. No. 3,971,916.
The use of portable cards incorporating an electronic integrated circuit or "chip" is well known in the field of banking; also known is their high operational security. It is in fact almost impossible to access given data inscribed in protected regions of the microcircuit without destroying the latter. Moreover, an identification protocol involving a personal and secret code inscribed in a protected region of the microcircuit causes inhibition of any tentative use of the card if the identification conditions are not satisfied.
In the case of a bank card, the manufacturer of the card first produces cards which do not contain personalized information, after which secret data which personalize each card is written therein. The cards are subsequently protected by irreversible technological locking steps.
The personal identification codes are then sent to each user (clients of the bank) and, via a different route, the cards themselves are despatched to the bank which requests the clients to pick up the cards. This system offers a high security against tentative abuse.
It is to be noted that a chip card can be used for applications outside the banking field where the practical aspects of portability of the card and its security of use offer interesting possibilities.
It could be envisaged to develop a specific microcircuit for each particular application, but it is more economical and simpler to conceive microcircuits of a type which is sufficiently universal so that the circuit can subsequently be programmed for the relevant application.
In this respect security problems arise if the writing of the secret identification data and the functional data for the actual application is entrusted to an entity other than the manufacturer of the microcircuit.
A person having bad intentions who succeeds in acquiring "virgin" cards and who has also obtained knowledge on the inscription techniques for a given application could illegally create falsified cards by imitating the original data inscription technique.
Therefore, the entity issuing the card, not being the manufacturer of the microcircuit, may wish to load the data of its application itself, so as not to disclose its secrets to the manufacturer of the microcircuits.
These security problems are aggravated when the formation of "multi-application" cards of a universal type is envisaged, which cards are originally virgin-like and are to be successively loaded, in an arbitrary succession, with data and programs of different applications by issuing entities which are unrelated to one another. Therefore, the aim will be to achieve a dynamic allocation of the programmable memory in adequate security conditions.
The manufacturer of the microcircuits should be able to ensure a possibility for protection of several regions of the memory for which he does not yet know the individual limits so that each issuing entity could protect the region in which it has loaded its secret functional data against any reading or writing attempts stemming from another application, regardless of whether these attempts stem from a programming error induced by the entity having issued said other application or from illegal programming by a fraud. Notably, it would be illusionary to supply a plurality of entities, capable of loading various applications, with programming secrets relating to the loading of all applications and still hope that these secrets will never get into the hands of personnel having bad intentions. No solution can be envisaged in this direction, the more so because a fully authorized but malicious entity could issue an application containing a programming error leading to the destruction of data contained in an application which is not its own.