The invention concerns portable electronic objects such as electronic microcircuit cards, known as smart cards, which, connected to electronic devices to enable the latter to perform particular functions in the context of one or more applications, require their life stages to be controlled. The said cards are in fact generally used in applications (banking, communication, identity, health etc) requiring a high degree of security against fraudulent usage. Thus, by way of example, the document U.S. Pat. No. 5,473,690 presents a smart card comprising several applications, access to which is protected by passwords, a password being dedicated to a user. Knowing a password, it is possible to select one application or another. However, it is not possible to deactivate an application or limit the use thereof whatever the user of the card as a function of the life stages of the said card.
The invention applies more generally to any independent on-board system provided with a processing unit and program and data memories.
In the world of smart cards it is known that the latter result from assembling a component (generally comprising a microprocessor in relationship with memories via communication buses), a module (produced by means of a conductive metal) to which the said component is connected (in the context of a so-called contact smart card) to enable the said component to be connected to an electronic reading and/or writing device (or coupler) and a card body or more generally a support on which the module/component assembly is integrated. In the context of a so-called contactless smart card, the said module is replaced by an antenna and the assembly formed by the component and the said antenna is integrated within the said support.
The life of a smart card can generally be broken down into two sets of stages following each other, corresponding respectively to the manufacture and use of the said card. Putting together the two sets of stages forms a life cycle of the said card. The manufacture of a smart card (with or without contact) consists of several stages.
This is because it is first of all necessary to have an electronic component which is initialised, insulated and then connected to a module. The said component and the module to which it is connected are subsequently integrated on or within a support (generally a plastic card body) itself printed for the purpose of identification or advertising. Subsequently the smart card thus obtained is initialised or programmed in order to meet the conditions of use in the context of applications.
The second set of life stages of a smart card corresponds to its use. This set can itself be divided into several stages, each corresponding, for example, to the implantation or elimination of services offered by the smart card to the user according to his profile, for example.
In addition different participants (component manufacturer, smart card manufacturer, card personalisation centre, card issuer or card carrier) act during the different stages of manufacture and use of a smart card. Thus the components are supplied and sometimes partly initialised by electronic component manufacturers on a silicon wafer. This phase corresponds to the step of manufacturing the component. The following step is the embedding phase carried out by the smart card manufacturer. It includes the insulation of a component from the silicon wafer, the connection of the said component to a module (or antenna), and the integration of the assembly on the support or card body. There follows the preparation of the application structure present in the electrically programmable memory of the component. This is the electrical personalisation stage which is carried out by the manufacturer of the smart cards or by a personalisation centre or a third party specialising in personalisation of cards or by the issuer himself who is ultimately responsible for the distribution of the cards on the market. This electrical personalisation phase can therefore be broken down into as many stages as there are players or intermediaries. Subsequently, during the use of the smart card, we have seen previously that it can be advantageous to distinguish several stages along with the change in the profile of the card user for example. For all these reasons, it is therefore important to rigorously monitor the life stages of a card in order to know at any time the current stage of the said card within its life cycle. In addition, it is essential on the one hand for access to the electrically programmable memory of a card component in write or read mode to be protected during the exchange of the said card (or component) during the different players and on the other hand for access to the said memory to be limited as the life stages of the card mentioned above follow each other, by activating or deactivating services for example. Finally, it is also sometimes necessary to validate the application context of the smart card before the carrier thereof uses it on the market. For example, a person issuing a smart card of the electronic purse type must be certain that the balance of the said card is indeed zero before issuing the card.
In order to attempt to meet these requirements, different solutions are used at the present time. Certain solutions are purely external to the smart card (physical security at the premises where the said card is manufactured, use of transportation means which are themselves made secure etc). Other solutions complementary to the first, but this time internal or implanted in the card, are also generally used. Use is thus made of secrets for protecting access to the component memory in read/write mode and also logic indicators for irreversibly monitoring the different life stages of the card. For this purpose, bits within a non-erasable memory of the component of the smart card are positioned at the active state at the end of the different life stages of the card (manufacture and initialisation of the component by the manufacturer of the said component, embedding and initialisation of the card memory by the smart card manufacturer, preparation of the application structure of the smart card memory by the personalisation centre or the card issuer etc). According to these indicators, the program (or operating system) executed by the microprocessor of the smart card component, implanted within one of the memories of the said card component, adapts its behaviour as the life stages of the said card follow each other. Thus functions can be modified, added or eliminated.
Whatever the solutions used at the present time, they are all based on the fact that the different players involved in the manufacture of a card are trusted third parties. Only persons liable to intercept components or cards during their transfer between two of the different players are deemed to be “potential fraudsters” and the solutions disclosed above make it possible to be free of them. The adaptation of the operating system of the card according to irreversible indicators affords a not insignificant advantage. Thus, if the manufacturers of the components or cards inscribe systems data or secrets, the card issuer will for example not be able to dispense freely with the said secrets or modify the said system data. However, this solution does not resolve the problem of a fraudulent initialisation of the card or an inopportune error during the said initialisation, carried out by one of the participants.