1. Field of the Invention
An object of the present invention is a device for the protection of the access to memory words of a microprocessor-based system, especially a microprocessor-based integrated circuit. The invention relates more particularly to integrated circuit cards known as chip cards that can be used in banking, communications as well, and ever more frequently, in many other fields.
2. Description of the Prior Art
Microprocessor-based systems incorporated in integrated circuits go through many steps during their manufacture. In a first step, called a manufacturing step, the manufacturer of integrated circuits stores an operating system in program memories of this integrated circuit. This operating system enables the performance of a number of operations (consisting essentially of the writing, reading or erasure of the memory zones) as well as the limiting of certain other operations (especially in the case of bank type cards where it is known, at the very outset, that certain uses are prohibited). Once the integrated circuits have been manufactured, they are delivered to an organization, commonly called the issuing party. This issuing party puts them into service among its members (in the case of a bank they are its customers) after having programmed a program memory. Preferably, the integrated circuit is mounted on a card. Through the running of the corresponding instructions, the program contained in this program memory can provide for a particular use of the card. For example, the program could permit the withdrawal of cash from automatic cash dispensers. Another service could relate to the automatic constitution of a credit for certain privileged cardholders. Yet another service may entail the use of a card as an electronic wallet.
The diversity of these services and their gradual installation over a period of time implies strict management of the actions possible with the card. The gradual installation of services relates to the fact that, as a customer becomes more loyal, the issuing party, namely his bank, decides to provide him with new facilities, namely the use of new services. The gradual installation of services may also relate to the coexistence of applications of different types on one and the same chip card. For it is now accepted that the use of a single card to manage only one type of service (for example banking services) involves a cumbersome system and is furthermore impractical. By contrast, it would be more appropriate to insert several uses into one and the same card. For example, the holder's medical history could be recorded in the memories of the card to enable the use of his particulars when he goes to hospital.
The fact that different services exist together entails additional risks. It is important to prevent a situation where subsequent action to implement a new application permits the undue modification of previous applications or even the reading of an operational code governing another application. For example, certain information elements stored in the memories of the card must be permanently protected. These information elements relate of course to the secret code of the card which should not be modified or should be modified only under certain strict conditions. They also relate to particulars for the identification of the card such as its series number, its class of membership in a cryptographic system, etc. However, the information that should not be modified, disturbed or read may also relate to the program memories, especially those containing the operating system of the card. However true it is that certain information elements stored in the card are, from the very outset, information elements that should be preserved, it is also a fact that some of them become so only gradually, when the card is used for another application. They may even become so only partially, their modification being hedged in by a certain number of restrictive conditions.
To resolve the problems of security inherent in this development, there is a known way of assigning each memory word to be protected a protection code pertaining to its ability to be read, written or erased. When such a memory word is accessed, its protection code is read simultaneously and the action envisaged is permitted or not permitted depending on this code. This type of approach has the following drawbacks.
Firstly, it is not flexible. Indeed, it may be desired to permit a given action, for example the action of reading, under certain conditions and not under other conditions. Since the only possibility open is that of permitting or of prohibiting the read operation, it is impossible to use this code for this purpose. Secondly, the fact of assigning a control word to each memory word entails penalties in terms of occupation of the memory. Since the control word has at least one eight-bit byte, the storage capacities of the memory are proportionally reduced. Finally, and above all, this system has the drawback wherein its implementation is done by software means.
The microprocessor indeed receives the bits of this control word and must normally take account of them to permit or prohibit action. This mode of operation however is related to the consistency with which these control words are taken into account. Through error or fraud, it is possible that these words will not be taken into account and that the system will lose all its security.
To resolve this type of problem, the Applicant has filed a French patent application on Oct. 2, 1987 bearing the number 87 13936 and published under No. 2 621 409, recommending a different operation. In order to increase its flexibility, it was noted that the character of certain memory words, whether usable or unusable, was related to the processing instruction to which this word was to be subjected. For example, a reading of the secret code of the card and its transfer in one form or another to a register of the microprocessor has to be authorized. Indeed, when the comparison is made with a secret code typed in at a keyboard by a user, the secret code of the card must be available in order to make the comparison. However, the reading and the display of this secret code on the screen of a terminal must be prohibited. Consequently, the reading of the code is permitted in certain cases (for comparison) and not in others (for display).
The system described in this patent application makes use of the fact that a microprocessor works essentially by the application of an instruction (an instruction code) to data elements. The idea that came up then was to make a decision table or matrix receiving an address of an instruction or of an instruction code as a first input and an address of a data element to be processed by this instruction as a second input. In view of the fact that all the addresses could not be sent simultaneously, it was appropriate, besides, to temporarily store the address of the instruction (or of the data element), more precisely of the operational code of the instruction (or of the operand for the data element) in order to present it at the right time to the decision table. This being done, the table receiving these two address signals at input delivered a signal to permit or prohibit the performance of the instruction on the data element. The particular feature of the decision table of this patent application was that it was made in the form of a circuit, preferably non-modifiable, at least after the first stages of manufacture. In this way, the three problems referred to here above were resolved.