1. Field of the Invention
An object of the present invention is a security system to protect protection zones of a chip card. The chip cards in question are memory cards in which the storage element is an electronic, integrated circuit known as a chip. Cards of this type are used in the banking sector. They act as means of payment and can be used both to manage an account, by indicating the balance recorded therein and by accounting for the various flows to which it is subjected, and to safeguard its use by the introduction of a secret code. Owing to their purpose, cards of this type are placed in an environment where the chief danger to be avoided resides in faulty security. A great many systems have been perfected for this purpose. It is an object of the present invention to make it possible to place chip cards with different functions at the disposal of sectors of industry other than the banking sector, while ensuring that these cards possess the same level of security in certain programming zones.
2. Description of the Prior Art
Chip card applications in the banking sector are well known. In brief, in the handling of current expenses, they consist in debiting and crediting operations with respect to the account managed in the card, possibly in authorizing a certain line of credit to certain customers. In addition, they enable safe use, through the recognition of a secret code, known to the bearer of the card. So as to introduce no risk into the distribution of memory cards, the banking sector has chosen a simple practice for the manufacture of these cards. Manufacturers of electronic equipment are entrusted, by contract, with several tasks. Their first task is to manufacture the integrated circuits, and the cards which contain them. A second task is to directly program the manufactured, integrated circuits (which, besides, have a universal character) to make them suitable for use in banking applications which are now well known and which, in the final analysis, are quite simple.
At this stage in the manufacture of the cards, the manufacturers further have the task of encoding the secret code that provides access to the card and of sending this secret access code to the future bearer of the card (i.e. to the bank's customer), while the card itself is sent to the bank. When the future bearer of the card receives his secret access code, namely his operating code, he is informed, at the same time, that he must go and get his card from the bank. Thus the end result obtained is that, in no case, do the card and the secret access code travel physically, in a detectable way, at the same time and by one and the same means of transport. This method of dispatch is now entirely satisfactory, and provides sound resistance to attempts at theft or fraud.
In practice, there is no existing means of finding the secret access code, namely the card operating code, through the customer's account number which is indicated on it. Besides, the loss of the secret access code number makes it necessary to destroy the card: it becomes unusable. Moreover, it is then possible for the manufacturer to undertake all kinds of procedures, notably of a technological type, to prevent the contents of the card from being pirated. Banking cards are, in fact, technologically inviolable.
It is necessary to create a similar environment of security in applications other than those of the banking sector. For example, a bearer of a card should be able to gain access to strategic defense-related places and, in these places, he should be authorized to perform a certain number of operations with this card. The essential difference between these operations and banking operations is that the former are not known, in principle, to the card manufacturer. He, therefore, cannot program them. The card manufacturer therefore has to export technical means, to perform certain manufacturing operations, to his customer who manages these cards. These manufacturing operations conclude programming operations performed by this customer, and ensure the desired security. To put it simply, it can be said that these operations may consist of a logic lock which, after it is shut, prevents certain zones of the card from being programmed, or certain programmed zones of this card from being read. However, this method cannot be envisaged when the customer does not intend to manufacture and use a very large number of cards. The customer cannot invest sufficient means in an application of limited use. In the alternative method, it is easy to understand the reluctance of a customer of this type, all the more so if he represents a country's defense set-up, to give an integrated circuit manufacturer an explanation of the operating algorithms which are to be introduced into the cards and which he wishes to keep secret.
The manufacturers' problem, therefore, is to place, at the disposal of these customers, who are concerned with specific applications, chip cards possessing a system of technological security and operating security of a level equivalent to that currently used in the banking system, and to do so in such a way that the manufacturing costs do not become prohibitive (with the export of the manufacturer's manufacturing means to the customer), and without the customer's being obliged to reveal the specific programming application that he intends to program in his cards. A simple solution would lie in sending chip cards of this type to this customer, with the secret access code, for subsequent operation, so that he programs them in his specific application. At the end of this programming operation, he could make a logic lock flip over, thus irrevocably preventing any access to the programmed zones of this chip card (so that no fraudulent person or thief could in any way attempt to reconstitute secret algorithms recorded therein).
The drawback of this method is that, under these conditions, the cards travel without any security. And for good reason, since the purpose of the security system is to prevent their subsequent programming, whereas this programming has not yet taken place and whereas it is precisely in order to be programmed that these cards are travelling. The situation faced then is one where systems with highly powerful functions travel by standard means of transportation (for example, through the postal system or by train). The systems may be intercepted, before reaching their consignees, by ill-intentioned persons who might be tempted to program them in their own way, with a view to counterfeiting an application of which, as it happens, they have knowledge and to which they do not normally have access.
An object of the invention is to overcome these drawbacks by proposing a security system to protect the programming zones of a chip card wherein, by its principle, a programming key is prepared when the card is manufactured. In practice, this key is a logic key: it is represented by a sequence of decimal, binary or other logic states. This logic key is conveyed to the customer by channels different from those used to convey the chip card itself. In other words, the interception of the card alone is not enough to enable misappropriation of its use. Without the programming key, this card is unusable. By contrast, upon receiving the card and the key, the normal customer himself can gain access to the programming zones of this card by introducing the logic key into the card. When this programming is over, he can ask the card (i.e. cause a programme, pre-recorded for this purpose, to be executed in the card) to produce its own operating key (which is, of course, different in its essence from the programming key). Once this operating key is known, this customer can lock in the programming of the card in making an irreversible technological lock flip over. All this customer has to do then is to distribute his cards in the same way as the chip card manufacturer does in banking applications.
In one improvement, the programming key is enciphered. This means that the key which travels cannot be directly used to validate the operations for programming the card. The programming key has to be first deciphered before it is applied to the card. In this improvement, the manufacturer has an enciphering machine while the customer has a deciphering machine. Thus a situation is prevented where resourceful thief, who might manage to procure both the programming key and the card, would be able, despite everything, to perform dishonest operations with his card.
In another improvement, the programming key function in the card comprises a one-time reading function. This function is designed to recognize the right key only once. If a wrong key is recognized, or if a second programming operation is attempted after the first one has been performed, and after the power supply of this card has been cut off, this programming function will have flipped over and will have become inaccessible.