The invention relates to a chip card which includes an integrated circuit provided with a control unit in the form of a microprocessor and memories.
Chip cards of this kind are generally known and are used for various purposes. Such chip cards are often used for applications where the card contains security-relevant information. This is so, for example in the case of bank cards which contain a balance or credit lines and also personal secret numbers, or in the case of patient cards which contain confidential information concerning the patient which should be readable, for example only after entry of a personal secret number. Furthermore, such cards are used for controlling the access to given rooms or buildings. It is also desirable that a chip card is suitable for a plurality of applications in that separate user programs are contained in the memory but only the desired program may be addressable. In such cases it is particularly important that data and parts of a user program cannot be accessed by another user program.
It is an object of the invention to provide a chip card with a microprocessor and memories which precludes as reliably as possible the unauthorized, i.e. undesirable, accessing of data, notably of a user program, by another user program or by other manipulations for the purpose of reading out or modification.
This object is achieved according to the invention mainly in that the program status word register (PSW register) contains at least one mode bit whose value indicates a user mode or a system mode. In the user mode, the corresponding bit value of the mode bit inhibits the access to at least parts of the PSW register as well as to all register and memory segments which are used only in the system mode. Consequently, all such registers and memories, containing security-relevant information, can be accessed only in the system mode. The system mode operates with a permanently stored program which, evidently, cannot be read out or modified from the outside. This program is independent of the relevant applications.
This offers the advantage that such a system program need be tested only once in respect of its security-relevant functions so as to be released. The user programs, generated and loaded onto the cards by the appropriate institutions such as banks or health insurance companies, need not be specially tested in that case. Each access to secret data in the framework of an application program takes place exclusively via the system program. This is also particularly important for chip cards which serve for more than one application. The system program ensures that all different user programs are unambiguously and reliably separated from one another and that no user program can access any other user program or data used therein.
For the authorized accessing of secret data used in a user program a given jump is always triggered in the system program so as to switch over the mode bit. All registers and all memory locations are accessible in the system mode. On the other hand, however, it can be reliably checked in the system mode whether the requested access is indeed permissible. This test cannot be deactivated by a fraudulent user. Every data input operation and every output operation is also equivalent to an access to secret data.
The inhibition of memory locations and the release of given memory location segments for a respective user program are simply realized in that the memory is subdivided into given zones, also referred to as segments, different user programs then being effectively associated with different segments. The segments are determined by the content of one or more corresponding registers which can be modified only in the system mode. Consequently, memory zones of different user programs are reliably isolated from one another.
Moreover, within a segment the access to only a part of the segment can be enabled in that additional registers are provided for indicating a limit address within a segment. Each address, i.e. the less significant bits, is automatically compared with the content of such a register. These registers can again be read and written only in the system mode.
Furthermore, the segment register preferably stores a bit group whose value is written into the memory location together with the data written. Upon reading out it is then checked whether the content of the corresponding zone of the memory location corresponds to this bit group. If this is not the case, reading out is inhibited.
If a user program wishes to access a register or a memory location in the user mode without such access being permissible according to this user program, it is possible to output, instead of a special system message, merely a value which corresponds to an empty memory cell, i.e. a cell which has not been written after the manufacture of the card. Thus, a fraudulent user cannot recognize whether he or she actually accessed an empty memory location or an inhibited memory location. Moreover, such a value corresponds to an unconditional jump in the system mode.
The inhibition of all inadmissible memory zones thus takes place via registers which can be modified only in the system mode. These registers form at least a part of the special function or SF registers. These registers are interconnected via a bus within the registers. Moreover, this internal register bus has an interface to the internal data bus via which the data can be written into the registers from the data bus or via which the registers can be read out to the data bus. Preferably, the register bus is subdivided by a switch which is closed only in the system mode. This constitutes a very simply possibility for inhibiting the relevant registers and hence indirectly also all non-accessible memory locations.