The invention relates to a computer system in which a population of computers has access to multiple software applications. The computers may be personal computers (PC's) or, for example, integrated circuit cards (“IC cards”) also known as “smart cards”. The applications may be programs available from a variety of sources including computer tape or disc and, in particular, remote computers with which a serial link, typically by telephone, is established.
In the PC environment, it is customary to distribute applications on floppy discs or CD ROMS and to retain them on a local hard disc for operation. In many ways, this is inconvenient, demanding high capacity local storage media and presenting difficulties with updates. In the field of smart cards, the problem of local application storage is much more acute, because storage capacity in the integrated circuit is relatively very limited. A solution in both cases is to make available applications held remotely and download them via a remote link. Internet and intranet systems are ideal vehicles for this, and it is possible to run PC's from Internet application modules (or “applets” as they are called) for immediate running and then to discard them. The applets require no local long-term storage capacity. An example of such a system is JAVA.
Several difficulties are associated with downloaded applications. One is hardware compatibility. Different computers have different microprocessors and different operating systems. It has been customary to re-write applications to cater for different computers, but this is cost-effective only for large, widely used, and static applications. It is not practicable for applets. A second problem is control of the applets. Without control, it would be possible for applets to make direct hardware calls to take control of local storage or communication devices. This could be mischievous at best and severely damaging or criminal at worst.
JAVA meets these two difficulties by ensuring that the applets are written in a common high-level interpreted language and that a local interpreter processes the applet instructions. Thus, all applets are written in the same language, and the interpreter constitutes both a hardware and a control buffer. Similarly, and for the same reasons, proposals have been made for on-board interpreters in smart cards to run downloaded high-level language applications.
The wide availability of multiple applications to a population of computers raises another problem. For various reasons, it may be desirable to restrict the availability of certain applications to certain computers. For example, some applications may make demands which the hardware of a particular computer cannot meet. These represent technical limitations present in spite of the interpreter arrangement. Furthermore, there may be commercial or moral restraints to be placed on the accessibility of certain applications to certain computers. The present invention seeks to provide a solution to this problem.
According to the invention, a computer system comprises a population of computers; tamper-resistant modules each associated respectively with one of said computers; a plurality of computer applications; provider means for holding the computer applications; and means for coupling the provider means to the computers for downloading the computer applications to the computers.
The arrangement, according to the invention, allows the provision of computer specific applications or application specific computers. In some embodiments, both the tamper-resistant module and the application have both class identifiers and bit-maps so that mutual control may be exercised. However, in a preferred embodiment of the invention, the tamper-resistant module has the bit-map and the application has class identifiers. The integrity of the system depends upon both the bit-map and the class identifiers being secure. The tamper-resistant module secures the bit-map whereas the class identifiers are preferably secured by an encryption system in which a class identifier section of the application is digitally certified by a system manager.
In a preferred embodiment of the invention, class identifiers are provided both for the tamper-resistant module (TRM) and the application. The computers may be PC's, in which case the tamper-resistant modules may be smart cards read by readers attached to the computers or, for example, dongles, PC cards, or PCMCIA cards coupled to the computers.
In a preferred embodiment of the invention, the computers are embodied in integrated circuits which are themselves the tamper-resistant modules. Typically, the integrated circuits are mounted in IC cards, which are becoming increasingly used for many different purposes in the world today. An IC card typically is the size of a conventional credit card which contains a computer chip including a microprocessor, read-only-memory (ROM), electrically erasable programmable read-only-memory (EEPROM), an Input/Output (I/O) mechanism, and other circuitry to support the microprocessor in its operations. An IC card may contain a single application or may contain multiple independent applications in its memory. MULTOS™ is a multiple application operating system which runs on IC cards, among other platforms, and allows multiple applications to be executed on the card itself. This allows a card user to run many programs stored in the card (for example, credit/debit, electronic money/purse and/or loyalty applications) irrespective of the type of terminal (i.e., ATM, telephone, and/or POS) in which the card is inserted for use.
A conventional single application IC card, such as a telephone card or an electronic cash card, is loaded with a single application at its personalization stage when it is manufactured and before it is given to a card user. That application, however, cannot be modified or changed after the card is issued, even if the modification is desired by the card user or card issuer. Moreover, if a card user wanted a variety of application functions to be performed by IC cards issued to him or her, such as both an electronic purse and a credit/debit function, the card user would be required to carry multiple physical cards on his or her person, which would be quite cumbersome and inconvenient. If an application developer or card user desired two different applications to interact or exchange data with each other, such as a purse application interacting with a frequent flyer loyalty application, the card user would be forced to swap multiple cards in and out of the card-receiving terminal, making the transaction difficult, lengthy, and inconvenient.
Therefore, it is beneficial to store multiple applications on the same IC card. For example, a card user may have both a purse application and a credit/debit application on the same card, so that the user could select which type of payment (by electronic cash or credit card) to use to make a purchase. Multiple applications could be provided to an IC card if sufficient memory exists and an operating system capable of supporting multiple applications is present on the card. Although multiple applications could be preselected and placed in the memory of the card during its production stage, it would also be beneficial to have the ability to load and delete applications for the card post-production as needed.
The increased flexibility and power of storing multiple applications on a single card create new challenges to be overcome concerning the integrity and security of the information (including application code and associated data) exchanged between the individual card and the application provider as well as within the entire system when loading and deleting applications. It would be beneficial to have the capability in the IC card system to exchange data among cards, card issuers, system operators, and application providers securely and to load and delete applications securely at any time from a local terminal or remotely over a telephone line, Internet or intranet connection, or other data conduit. Because these data transmission lines are not typically secure lines, a number of security and entity authentication techniques must be implemented to make sure that applications being sent over the transmission lines are not tampered with and are only loaded onto the intended cards.
As mentioned, it is important—particularly where there is a continuing wide availability of new applications to the cardholder—that the system has the capability of adding applications onto the IC card subsequent to issuance. This is necessary to protect the longevity of the IC cards; otherwise, once an application becomes outdated, the card would be useless. In this regard, to protect against the improper or undesired loading of applications onto IC cards, it would be beneficial for the IC card system to have the capability of controlling the loading process, and restricting, when necessary or desirable, the use of certain applications to a limited group or number of cards such that the applications are “selectively available” to the IC cards in the system. This “selective capability” would allow the loading and deleting of applications at, for example, a desired point in time in the card's life cycle. It would also allow the loading of an application only to those cards chosen to receive the selected application.
Accordingly, it is an object of this invention to provide these important features, and specifically a secure system that allows for selective availability of applications which may be loaded onto IC cards or other tamper resistant modules.