Encryption security is a well known feature of modern data processing systems. The general features of encryption security for data transmissions and PIN codes are described in many prior art references such as Atalla U.S. Pat. Nos. 4,268,715, 4,283,599, and 4,288,659.
It is also well known in the art to protect certain critical portions of data processing systems and real time control systems by placing security critical resources under the control of a security module which, as is well known, may include various levels of physical and logical security.
Some examples of logical and physical security features for security modules are discussed in the following references:
Levien U.S. Pat. No. 4,523,271 PA1 Double U.S. Pat. No. 5,027,397 PA1 Unsworth U.S. Pat. No. 5,353,350 PA1 IBM U.S. Pat. No. 5,388,156 PA1 Gilbarco U.S. Pat. No. 5,448,638 PA1 NCR U.S. Pat. No. 4,593,384 PA1 UK patent 1,248,763, PA1 a. providing in the secure processor a set of command primitives for functional control of the set of secure resources; PA1 b. defining a set of commands to invoke the command primitives; PA1 c. defining a secured command format for the commands including at least a command sequence ID, a command code, and a set of command data items; PA1 d. defining a non-secured command format for the commands including a command code and a set of command data items; PA1 e. storing in the secure processor a command set up table including for each of the commands in the set of commands a command type flag having a first value if the command is a secured command and a second value if the command is a non-secured command; PA1 f. preparing an application program comprising a plurality of commands each having one of the secured command format or the non-secured command format; PA1 g. sending the sequence of commands one at a time to the secure processor for execution; PA1 h. looking up each command in the command set up table when the command is received by the secure processor; PA1 i.1. if step h. determines that the command is a non-secured command, then executing a set of command primitives associated with the command using the command execution means; and PA1 i.2. if step h. determines that the command is a secured command, then PA1 i.2.c. executing the set of command primitives associated with the secured command using the command execution means, if and only if the secured command passes both the testing steps i.2.a. and i.2.b PA1 a first command format is associated with a secured command and comprises at least a command sequence ID, a command code, and a set of command data items; and PA1 a second command format is associated with a non-secured command and comprises a command code and a set of command data items. PA1 an interface to the secure processor resources; PA1 a secured command authentication means; PA1 a memory portion storing a predefined set of command primitives for functional control of the set of secured resources; PA1 a memory portion storing a command set up table including for each of the commands in the set of commands a command type flag having a first value if the command is to be processed as a secured command and a second value if the command is to be processed as a non-secured command; and PA1 a command execution program. PA1 receiving and storing a command from the application processing unit; PA1 looking up the command in the command set up table to determine if the command is a secured command or a non-secured command; PA1 testing the authenticity of a secured command based on the value of at least one element of the secured command using the command authentication means, PA1 testing the regularity of a secured command based on the value of the command sequence ID; PA1 if the command look up determines that the command is a non-secured command, executing a set of command primitives associated with the command command without use of authenticity testing or regularity testing PA1 if the command look up means determines that the command is a secured command, executing a set of command primitives associated with command if and only if the command passes the tests of both the authenticity testing means and theregularity testing means.
FIG. 1 illustrates one type of security module system. Security module 10 is protected by physical security features 23 and controls a set of security module resources 24, 25, 26 and 27. These resources may be internal or external to the security module, but typically only resources which themselves require physical security due to their nature and function, e.g. encryption using stored keys and algorithms, are located within the security module to save costs.
Application processing unit 20 communicates with security module 10 over command and data bus 21 and directly controls operation of non-secured resources 28. A secured application program 40 is stored in security module 10. An application software program 30 is stored in and executed in application processing unit 20. Program 20 includes security module commands which invoke the fixed secured application program in the security module.
This secured application program may be a single application program module or a plurality of application program modules, each of which may be invoked with a specific different security module command. It will be apparent that this prior art approach only allows the application software programmer to operate the secured resources using fixed program resources having predefined functionality. If the application software programmer want to do other functions with the secured resources, a custom security module with additional secured application program modules would be required. In most cases the cost of such a customized security module would not be warranted by the added value that can be achieved. The application software programmer must utilize duplicate resources (e.g. a second display or keypad) and control them directly by application processing unit 20. It is apparent that there is a need for a method and apparatus for operating a security module and associated resources in a more flexible and effective manner that allows an application software program running outside the security module to access critical resources controlled by the security module in a secured manner.