1. Field of the Invention
The present invention has been made in collaboration with the Universite des Sciences et Techniques, and the CERIM and LIFL laboratories. Its object is a secured method for the loading of several applications in a memory card provided with a microprocessor, often called a chip card. Chip cards such as these typically have three types of use. In a first use of identification, they constitute keys by which their bearer can gain access to a place or a service. In a monetary use, either they are pre-loaded with units representing a possibility of consumption with a party that issues chip cards (generally in telecommunications) or the information that they contain represents a balance of a bank account. As a last type of use, data storage may be noted: for example in order to manage health matters, each individual is provided with a card in which his medical history may be recorded, or again the card may replace an identity card.
The present card seeks to enable the coexistence, on a same card, of these different uses without its being possible for the use of the card that is made for one application to hamper the use of the card for other applications. To this end, the invention procures a safe method for the loading of the different applications so that they cannot interfere with each other. The invention covers also the facility of structuring attached to an application and the interrogation of the data elements by application. Furthermore, the system can be used to make it possible for the applications to permit certain data to to be "seen" by certain applications in total confidentiality.
2. Discussion of the Related Art
A first mode of managing several applications in one and the same card is known. It shall be described here below and it shall be shown that, despite its performance characteristics, this known loading method comes up against certain limitations. The method of the invention will show these limitations can be overcome.
FIG. 1 exemplifies a sharing of the memory of a chip card that can suit several applications. A memory of a chip card such as this is, in this case, physically divided into two essential parts. A first description part 1 contains descriptors, a second part 2 comprising pure memorizing zones. A descriptor represents an application. It comprises a certain number of bytes in binary language. A first byte 3 is called an identifier byte. It enables the application to be designated. If, at the time of a transaction with the card, a secret code and the identification of the application are presented, immediately the descriptor for which the identifier corresponds to the secret code presented is reached.
A descriptor also comprises a protection element 4 after the identifier. A first byte of this protection element 4 relates to the protection, in reading mode, of the words of the memory, another byte relates to the protection in writing mode, a third and fourth byte relate to the erasure or updating if, furthermore, the technology (EEPROMs) of the card allows it. It could be assumed, for example, that these information elements are encoded on one bit of the protection byte: when it is equal to zero, it prevents action whereas it permits it if it is equal to one. Similarly, in writing mode, it could be assumed that third bit (or another bit) of the second protection byte prohibits the writing if its value is zero or, on the contrary, permits it if its value is one (or possibly the contrary). This is also the case for the erasure or the updating.
As the last essential part, a descriptor finally comprises a number 5 of the memory words used by the concerned application. This number is encoded, for example, on two bytes after the codes of the protection element 4. An application concerned by a descriptor may thus contain a number of memory words equal to any number, for example 18. To know where the words of the memory are located, in the part 2 of this memory, which corresponds to this application, an instruction of the microprocessor of the chip card computes that the first 18-word address permitted is equal to the sum, plus one, of the words allocated to the previous descriptors in the list of the descriptors of the chip card. The last address permitted is equal to this sum plus the number of words indicated in the descriptor, i.e. in this case 18.
If, in one example, an identifier has corresponded with a third descriptor, independently of the question of whether or not it is possible to read or write in the concerned memory words, it will be known that the memory zone allocated to the application corresponds to that of the descriptor 3, that it is placed after those allocated to these descriptors 1 and 2 respectively, and that its length is limited by the number of words allocated to this descriptor 3.
The microprocessors therefore at present, in their set of instructions, comprise instructions organized in sequence and stored definitively in the memory (ROM) of the chip card, at the end of which, firstly, it is possible to identify a chosen application and, secondly, there are known ways of irrevocably limiting access to an allocated set of memory words.
To create novel applications, there is furthermore provision, in this set of instructions, for a creation instruction by which it is possible to add a descriptor to the sequence of descriptors already present (to the extent that the memory space allows it) and to allocate a number of memory words (here too as a function of a memory space available in the card) to this application described by this descriptor. The memory zone allocated to a novel application is completely independent of that allocated to the preceding applications.
While this technique, with the associated set of instructions, is efficient, it has a first limitation which is that it prevents an application from working in the memory zone reserved for another previously recorded application. This is understandable because it is the safety-related aim of the invention. However, in certain cases, it is possible that the owner of an application wishes to obtain access, in a complementary application that he would have programmed himself, to one or more memory zones that he has previously allocated to himself. Here, this is not possible. The structure is not flexible.
To give an approximate idea, it may be assumed in a banking application that a banker, by means of an application recorded and represented by a descriptor 1, has already permitted the bearer of the card to withdraw a certain sum of money per week from his account. He may subsequently wish to allow this same holder to make account-to-account transfers from the bank account represented by his chip card. In the present situation, this second application has to be entered completely independently of the first one. This leads to a duplication of certain memory zones, and to a problem of their management. The balance present in one of the memory zones of an application is, for example, affected by a withdrawal while the balance, which is theoretically the same, in another memory zone corresponding to the transfer, is not correlatively debited by the sum corresponding to the withdrawal.
In this case, the solution for the banker would be to eliminate one of the applications and enter another application, as a replacement, which would include the totality of the instructions of the preceding applications. This causes a loss of space in the card. Since, furthermore, it is known that the sizes of memories in these cards are limited, it will be seen that this technique is not without drawbacks.
Furthermore, the last bytes of the descriptor provide information on the number of words that can be used in the memory, but this is not always a good procedure. Indeed, especially in operations for the storage of pure data, it is possible to choose memory word lengths that are either fixed lengths, for example 30 bytes (it being possible to assign each byte to one character), or a variable length. However in this case it is necessary, after each recorded information element, to show a separating byte (a character), for example corresponding in ASCII to a star or a fraction bar, whether oblique or otherwise. A structuring such as this has the drawback of having to be known with precision by the programmers who use the cards which, in certain cases, leads to cumbersome features during use. Even for a very simple application, it is necessary to have perfect knowledge of the entire operation of the card or of the microprocessor.
Furthermore the fixed length format, in most cases, may lead to a systematic loss of space owing to an oversizing of the lengths of the words in order to overcome every problems.
The problems of security or of the right of access to the data elements of these cards are related to the location of these data elements in the memory.
There is also another known prior art structure divulged by the document WO-A-8707061. However, this document provides for only one hierarchical structure of the actors. The actors of the same hierarchical level are not supposed to act at different levels. It is even truer that actors foreign to the application cannot be stacked in the hierarchy and be permitted to consult or even modify recordings of a data table. This document proposes no approach to overcome this problem.