The present invention relates to secured multi-application programming on a dual component electronic computing device.
Prior art is described in applicant""s U.S. Pat. Nos. 5,513,133, 5,742,530, WO 98/50851, WO99/26184 and WO 00/42484. Other prior art is described in U.S. Pat. No. 4,742,215, and in WO 00/48416, and WO 99/01848 and in an article by Pierre Girard and Jean-Louis Lanet, from Gemplus International, xe2x80x9cNew Security Issues Raised by Open Cardsxe2x80x9d, Information Security Technical Report, vol. 4, pp. 19-27, Elsevier, May 1999 hereinafter Girard.
Computing platforms intended for electronic commerce or for storing and processing data for other applications are constantly being attacked by competitors, vandals, and other inimical entities. The problem of devising secure systems becomes more intricate as new and more flexibile and complex modes of operation emerge. In the realm of ubiquitous computing, typically smart cards and subscriber identification modules within telephone handsets are expected to allow the execution of programs originated by a plurality of entities, and, as described in the article by Girard et.al. supra even to allow the loading of new application programs when the system is in service in the field. Another emerging need is to combine processing and security features with the capability of storing significant amounts of data on small size devices such as the device disclosed in the applicant""s U.S. Pat. No. 5,519,843. While solutions have been proposed for insuring security in such platforms, as described in the section about the background of the invention supra, the extent of security insured in actual fact is largely unknown, because attacks and methods for breaking security arrangements are not always foreseen. The prevalent usage of a single processing engine which serves both for executing application programs that cannot enjoy the same level of trust as the inner core of the system as well as for executing the operations belonging to the inner core, as done in current art designs, in principle decreases the level of confidence about the security of the system. More confidence about the security of the system can be gained by defining logical borders between components and sub-modules of the system and by defining and adhering to formal rules governing the interactions between the components and sub-modules. The current invention shows how separation and logic borders between components and sub-modules of the system can be defined and embodied in a material realization, in association with security rules, where one of the methods being adopted to accomplish the separation being the usage of at least two processing engines instead of a single processing engine.
It is the purpose of the current invention to provide a secure computation system achieving the same level of security accomplished by closed, rigid, more rudimentary, security application modules (SAMs) while providing an open and flexible environment, operable to serve multiple applications associated with multiple agents and with remote downloads in the field. Further objects of the invention are to provide a system operable to control secured repositories of data and programs, to support protected mutually exclusive execution of programs, to control the operation and to store the results of electronic value applications and transactions, to enable authorized downloading of data for storage, to enable authorized downloading of programs for execution. A further object of the invention is to provide a design for a secure data module implementable on small mobile devices. A further object of the invention is to provide a design for a secure data module containing xe2x80x9coff the shelfxe2x80x9d prior art core of a more rudimentary security application module (SAM), integrated with circuitry serving for implementing the complementary part of the system. A further object of the invention is to create a secure data module where symmetric key and public key cryptographic techniques work in a closed tamper resistant environment. A further object of the invention is to create a secure data module integrated with physical devices for confidentially authenticating a user, typically fingerprint and PIN (Personal Identification Number) readers. A further object of the invention is to create a secure data module compliant with existing and forthcoming standardization, as described in the section xe2x80x9cbackground of the inventionxe2x80x9d supra. In one typical implementation, the system is imbedded within a wireless communication device. In a further typical use, the system is operable to support credit or debit charge card public key protected clearance scheme. In a further typical use, the system serves as a mobile agent for airlines including of an updatable repository of air flight schedules, automatic airline reservation and ticketing scheme with payment implemented using a PKI charge clearance network.
In a preferred embodiment of the invention, the system includes
a first component operable to insure authorized access to the secured repositories of data and programs, to manage and control the secured repositories of data and programs, to insure the integrity of the secured repositories of data and programs, and to prevent one application from utilizing, scrutinizing or modifying another application, and
a second component operable to execute authorized applications, the first and second components operating in parallel.
In another preferred embodiment, portions of a complete program are being fetched during run time from the repositories of programs with access to locations within the repositories of programs not allowed for the program being blocked by a firewall, the firewall including a mask of control values corresponding to a plurality of segments within the repositories of programs and controlled by the first component.
In a preferred embodiment of the invention, the system is imbeded within a single monolithic microelectronic integrated circuit. In another preferred embodiment, traffic of information between parts of the system that do not reside on a common monolitic IC chip is encrypted.
In a preferred embodiment of the invention, the internal circuitry is protected by physical tamper resist methods and containing D/A (Digital to Analog) converters, operable to hide data contents, typically audio signals in a digital format within the data repositories while exporting the contents in an analog form only.