Some smart cards can comprise several applications, stored in non-volatile memory, for example in a ROM or EEPROM memory, in other words their microprocessor has available in memory executable (or interpretable) codes for several computer program applications and is designed to execute them in order to accomplish a task or to fulfill a particular function.
It is common to wish to store and to execute two independent and autonomous applications on the same card. Two applications can be independent in the sense that their respective codes do not make use of commands or data specific to the other application. Their execution is then independent. On the other hand, it is not ruled out that, during their respective executions, they occasionally become partners and exchange data between them as do a large number of applications.
It may, for example, be envisioned that a first default application is a mobile telephony application, if the system is a mobile telephony card designed for a mobile telephone, and that a second application is a banking application used in an occasional manner, for example, in order to make a payment by means of the telephone. This can notably allow the smart card to comply, for example, with both a mobile telephony standard (for example, a GSM [acronym for “Global System for Mobile Communications”] standard or ETSI [acronym for “European Telecommunications Standards Institute”] standard) and with a banking standard (for example EMV [acronym for “Europay Mastercard Visa”]).
Typically, these applications receive data and commands from outside the card in order to carry out a task or perform a particular function.
For software engineering, fabrication and/or certification reasons, it does not turn out to be practical to define, in the first application, a reference to the second application or the commands that the second application accepts. If this were the case, the code for the first application would then be dependent on the second application. It would then become extremely complex and costly in modifications to the first application if it were desired to modify or to replace the second application, or even to add a third application.
The invention aims to overcome these drawbacks by providing a smart card that determines the assignment of the commands received with respect to an application, notably a preponderant one in the sense that the latter processes all the commands received by the smart card, solely according to this application.
For this purpose, a subject of the invention is notably a smart card storing a first and a second application and comprising means for receiving commands originating from outside the card, said first application being capable of executing first commands, the card comprising means for determining whether a received command is implemented by the first application so as to transmit said received command to the second application in the case of a negative determination.
Accordingly, the determination is carried out solely with respect to this first application, without any knowledge of the other application or applications. It is thus possible to have independent and autonomous applications executed on the card without this being detrimental to the execution of the commands.
It is thus possible notably to perform separate certification and/or design tasks on the applications.
When it is determined that the received command is not intended for the first application, this command is naturally transmitted to the other application.
It is noted that this solution is inexpensive in terms of development in the sense that modification of the standard is not required in order to add, for example, complementary information to the commands or to modify the applications.
In one embodiment, said receiving means are configured for transmitting said received commands to said first application and said determination means form part of said first application.
In one embodiment, said determination means comprise means for comparing the received command with at least one of said first commands. The determination is thus adapted to the existing means of the first application.
In particular, for as long as the received command does not correspond to a command of the first application, the comparison with all of the first commands is carried out. Thus, a negative determination decision is only taken after having analyzed all of the first commands.
In one embodiment of the invention, the determination means comprise a table stored in memory comprising a list of said first commands. The complexity of this embodiment is low since both the table and the comparison with this table are mechanisms that are widely used and understood. Furthermore, this embodiment makes the updating of this table straightforward and inexpensive when the first application is modified or changed.
In order to speed up the processing of the received command if this must be executed by the first application, the table is also designed to comprise, for each first command listed, an address for execution of said first command by the first application.
According to one variant which may also be used in combination, the determination means comprise at least one conditional instruction within the execution code of said first application. Typically, the conditional instructions take the form of a function “if condition then . . . else . . . ”.
This embodiment only requires the execution of the is first application upon receiving the command in order to carry out the determination.
In combination, this embodiment allows the execution code of the first application to be protected in the case where the table contains errors.
In particular, the determination means comprise a single conditional instruction comparing said received command with all of said first commands. This solution then requires the corresponding condition to carry out the comparison between the received command and the first commands, preferably all of these first commands. The use of only one conditional instruction allows the processing of the received command to be expedited.
As an alternative, the determination means comprise a plurality of conditional instructions each relating to at least one first command. Each conditional instruction may for example be designed to compare the received command with one of the first commands. It is noted here that the determination is negative if none of the conditions is verified. This solution may notably be applied in the case where there are a large number of first commands, because the conditions are then readily executed with few resources.
In some cases, smart cards may comprise, at the same time, an application with severe security requirements and an application with moderate security requirements.
Typically, applications with severe security requirements are, for example, payment or holder identification applications (passport, identity card). For these applications, the customers demand a high level of security which requires particularly long and costly evaluation procedures, for example according to common criteria, carried out by a certified independent body. Certain assessment procedures can last over a year and cost several tens of thousands of euros for one model of smart card. Generally speaking, a new assessment, which is optionally streamlined, must be carried out when the application is upgraded.
Applications with moderate security requirements are, for example, mobile telephony applications (for example for identifying a subscriber to a mobile telephony network) or transport applications (for example, access to a public transport network). These applications do not generally require certification or require a much shorter and much less costly certification procedure than the previous examples.
When these two types of applications co-exist within the same smart card microprocessor, the applications with moderate security requirements must be assessed and certified according to the same criteria as the applications with high security demands, which implies high costs and lengthy delays.
Furthermore, it is known that smart card readers are generally designed to read a smart card via contacts provided for this purpose on the surface of the smart card whose function is generally pre-determined and does not change over the lifetime of the reader. In order to adapt to a new function for a contact, the reader electronics generally need to be modified, which is generally not feasible (at a reasonable cost) for the consumers using these readers.
Moreover, the number of contacts according to the ISO 7816 standard is limited to 8, five of which are used for the protocol according to the ISO 7816 standard (c1, c2, c3, c5, c7), two of which may be used by a high-speed USB protocol (for example c4 and c8) or three in the case of an MMC protocol, which limits the capacity for upgrade development of smart cards.
The invention may therefore provide for the smart card to comprise a first and a second microprocessor for respectively executing said first application and said second application.
By separating the two microprocessors in the present invention, a smart card reader can send commands to the two microprocessors without it becoming necessary to implement additional contacts with respect to the case where commands would be sent to only one microprocessor. Moreover, the security of the first and second microprocessors can be certified independently.
In one embodiment, the card comprises at least one input/output line, preferably according to the ISO 7816 standard, which connects the two microprocessors and is used to transmit said received command between the two microprocessors.
Notably, a clock link is provided which connects the two microprocessors in such a manner that said first microprocessor supplies a clock signal to the second microprocessor, notably according to the ISO 7816 standard. It is recalled that the clock signal according to the ISO 7816 standard corresponds to the contact c3 of the standard.
By virtue of these arrangements, the two microprocessors can operate with different clocks, for example with timings according to different clock frequencies.
According to particular features, the first microprocessor comprises means for inhibiting said clock signal supplied to the second microprocessor.
By virtue of these arrangements, in the case where the second microprocessor comprises means for going into standby in the absence of a clock signal, in order notably to conserve the current supplied by the reader, which can be particularly critical when the reader is in a portable device powered by a battery, such as a mobile telephone, the first microprocessor can control the standby mode of all or a part of the second microprocessor.
In one embodiment, said two microprocessors are mounted on the same module printed circuit (for example, a microprocessor module, also referred to as a chip). This results in an enhanced simplification of the independent certification of the two microprocessors, with a view notably to obtaining a highly securitized microprocessor.
According to one variant, the card comprises a card body and a module printed circuit accommodated by the body, said first and second microprocessors being respectively provided on said module printed circuit and in said body, and interconnected via conducting tracks provided in the card body.
It may notably be chosen that the first microprocessor implements a lower level of security than the second microprocessor.
By virtue of these arrangements, a smart card reader only implementing the security level of the first microprocessor can control the operation of the second microprocessor. Moreover, the second microprocessor can have its security enhanced owing to the fact that it receives its commands only from the first microprocessor.
In one variant to the two microprocessors, the card is designed to comprise a module printed circuit equipped with the same first microprocessor for executing said first and second applications.
According to one possible feature of the invention, the card comprises a first microprocessor for executing said first application, in which card the receiving means comprise electrical contacts designed to receive said commands, said electrical contacts being exclusively connected to the first microprocessor. Here, the electrical contacts for communicating (here exclusively connected to the first microprocessor) are differentiated from contacts potentially used for other purposes, for example for the component electrical power supply, which can optionally be connected to the other microprocessor without any detriment to the processing of the commands (which are received on the other contacts).
In particular, the electrical contacts are flush with the card surface. A contact card reader is then employed.
In one embodiment, said electrical contacts are provided on one face of a module printed circuit and said microprocessors) is (are) mounted on the other face of said module printed circuit.
By virtue of these arrangements, a robust mechanical protection for the microprocessor(s) is obtained.
Conventionally, the receiving means are designed to transmit outside of the card responses to the received commands. Bidirectional communications are thus established with the card, notably for carrying out transactions.
It has previously been seen that, by virtue of the invention, the same electrical contacts are used as for the cards comprising only one application. In order to enable efficient bidirectional communications with the second application, the first application is designed to pick up the responses from the second application prior to transmitting them outside of the card.
Notably, the communications between the applications can be effected by means of APDU (acronym for “Application Protocol Data Unit”) commands.
According to one embodiment, said first application complies with a mobile telephony standard, notably an application for identifying a subscriber to a mobile telephony network.
According to one variant, said first application comprises a smart card web server, also written as SCWS.
In one embodiment, said second application is a payment application, notably according to the EMV (acronym for “Europay Mastercard Visa”) standard.
According to one possible feature of the invention, the receiving means comprise means for communicating with a wireless communications interface of a card reader. In practice, this wireless interface is combined with the electrical contacts, in which case it is also envisioned that the wireless interface be connected to the system via one or more of the electrical contacts. Notably, one or more electrical contacts may be dedicated to this wireless communications interface.
In use, it may be envisioned that only the second application uses the wireless interface.
Notably, said means of communication comply with the NFC (acronym for “Near-Field Communication”) standard. Thus, with a mobile telephone equipped with such means of communication, a payment can be effected with an existing payment microprocessor already certified according to the common criteria.
In particular, said means of communication may implement an SWP (acronym for “Single Wire Protocol”) communications protocol with the card, notably with the first microcircuit or the first application.
The case where there are a large number of applications embedded and executed in the smart card is also envisioned. In this case, even if the determination means determine that the received command is not destined for the first application, they cannot know to which application the command is to be transmitted.
It is then planned to apply, in a recursive manner, the mechanism described hereinabove, namely that once the received command has been transmitted to the second application, the latter plays the role of the first application for the following iteration.
Thus, according to particular possible features of the invention, the smart card comprises a third application and, in the case of transmission of the received command to the second application, if the received command is implemented by said second application, said determination means are designed so as to transmit said received command to the third application in the case of a negative determination, said determination means comprising means for comparing the received command with at least one command implemented by said second application.
This feature may also be included in a definition of smart card comprising a plurality of hierarchized applications and means for receiving commands originating from outside the card, the card comprising means for determining, in the case of transmission of the received command to one of said applications, whether the received command is implemented by said application so as to transmit said received command to the lower level application in the case of a negative determination, said determination means comprising means for comparing the received command with at least one command implemented by said application.
The smart card may also be designed to comply with the ISO 7816 standard and/or the MMC (acronym for “MultiMedia Card”) standard.
According to one possible feature of the invention, the smart card is of the SIM (acronym for “Subscriber Identity Module”) or USIM (acronym for “Universal Subscriber Identity Module”) type.
According to another possible feature of the invention, the card complies with the ID-000 format according to the ISO 7816 standard.
Another subject of the invention is a device comprising a smart card such as is presented hereinabove. In particular, this device may be a terminal, a host station or else a reader; for example, a mobile telephone or a personal computer.
Another subject of the invention is a method for executing a command by a smart card storing a first and a second application, said first application being capable of executing first commands, the method comprising the following steps:                receiving a command from outside the card,        upon receiving it, determining whether the received command is implemented by said first application,        in the case of a negative determination, transmitting said received command to the second application.        
Optionally, the method may implement means relating to the smart card features presented hereinabove.
Notably, the receiving step can comprise the reception of said command by the first application.
Equally, the determination can comprise the comparison of the received command with at least one of said first commands.
According to one embodiment, the determination comprises the comparison of said received command with a table listing said first commands.
As an alternative, said determination comprises the execution, by said first application, of a conditional instruction included in the code of said first application. In particular, said determination comprises the execution of a single conditional instruction, said determination being negative when said condition is not met. As a variant, said determination comprises the execution of a plurality of conditional instructions each relating to at least one first command, said determination being negative when together the conditions are not met.
In one embodiment, the method comprises, in the case of a negative determination, a step for transmission, by said first application and upon command from said second application, outside of the card of at least one response to the received command. An external smart card reader thus obtains a bidirectional communication with the second application.
Since the advantages, objectives and particular features of this method, and of this telephone and of this process for marketing are similar to those of the card, subject of the present invention, such as is succinctly described hereinabove, they are not recalled here.