Removable chip cards are used in terminals, e.g. mobile communication terminals such as mobile phones, to securely store keys used to identify a subscriber in a mobile network (such as mobile phones networks and/or the internet). As an example, the chip cards assigned to a user allow users to change mobile phones by simply removing the chip cards from one mobile phone and inserting it into another mobile phone or broadband telephony device. As an example, the mobile phone and a SIM-card as the chip card forms a mobile station able to communicate in a mobile phone network.
In order to be able to provide a time signal as a time reference, chip cards can be equipped with clock units. Such chip cards may comprise a battery to run the clock unit even if the external power supply of the chip card (e.g. provided by the terminal power supply) is interrupted. This is usually the case, when the terminal is turned off. Thus the clock unit can be configured as an essentially autarkic system providing tamper-resident time information (or time reference). However, to provide an absolute time signal, the clock has to synchronized at least one time, e.g. at production time of the chip card. This approach has the disadvantage, that the chip card's internal battery might run empty before starting to use the chip card in a terminal. Often the time between production of chip cards and the start of use is undetermined On the other hand, the recharging intervals for the battery of the chip card might be insufficient when using the terminal only rarely. An empty battery would result in a loss of the synchronized time even when synchronized one time. The synchronization of the time signal may also be performed using the time reference of the terminal, where the chip card is inserted to. However, one important feature of the chip cards is its possibility of being interchanged between different terminals eventually providing deviating time references (e.g. according to deviating local times) making a trusted absolute time reference for the interchanged chip card impossible. Also the time provided by a terminal may be set by the user of the terminal preventing any trusted absolute time reference. An alternative solution to provide an absolute trusted time signal would be a connection of the chip card to a remote network time server. The challenge with this approach is that this would require the ubiquitous availability of a mobile network connection and more important it will introduce dependencies on another element in the security architecture to provide an absolute trusted time reference. The other element must be auditable, always online and available during the lifetime of all chip cards. In addition the chip card would require storage of credentials needed to authenticate the remote network time server to make sure, that the received time reference is not manipulated.