AU766930B2 - Method for securely managing a units counter and security module implementing said method - Google Patents

Method for securely managing a units counter and security module implementing said method Download PDF

Info

Publication number
AU766930B2
AU766930B2 AU22857/99A AU2285799A AU766930B2 AU 766930 B2 AU766930 B2 AU 766930B2 AU 22857/99 A AU22857/99 A AU 22857/99A AU 2285799 A AU2285799 A AU 2285799A AU 766930 B2 AU766930 B2 AU 766930B2
Authority
AU
Australia
Prior art keywords
area
units
counter
updating
case
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
AU22857/99A
Other versions
AU2285799A (en
Inventor
Xavier Banchelin
Carole-Audrey Koch-Hourriez
Mireille Pauliac
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gemplus SA
Original Assignee
Gemplus Card International SA
Gemplus SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemplus Card International SA, Gemplus SA filed Critical Gemplus Card International SA
Publication of AU2285799A publication Critical patent/AU2285799A/en
Application granted granted Critical
Publication of AU766930B2 publication Critical patent/AU766930B2/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M17/00Prepayment of wireline communication systems, wireless communication systems or telephone systems
    • H04M17/02Coin-freed or check-freed systems, e.g. mobile- or card-operated phones, public telephones or booths
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/343Cards including a counter
    • G06Q20/3433Cards including a counter the counter having monetary units
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/02Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by keys or other credit registering devices
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0866Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means by active credit-cards adapted therefor

Landscapes

  • Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • Computer Security & Cryptography (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Storage Device Security (AREA)
  • Control Of Vending Devices And Auxiliary Devices For Vending Devices (AREA)
  • Techniques For Improving Reliability Of Storages (AREA)
  • General Factory Administration (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Prepayment Telephone Systems (AREA)
  • Meter Arrangements (AREA)
  • Communication Control (AREA)

Abstract

The invention concerns a method for securely managing a units counter in an electrically programmable and erasable memory, whereby a number of units consumed by users is recorded by means of a counter, consisting in breaking down the units counter into at least two memory zones (A, B), one first zone (A) wherein a bit is stored per unit consumed and a second zone (B) wherein the value corresponding to the accumulation of bits consumed is stored, the second zone being only updated when the number of units consumed exceeds or reaches the number of non-stored bits in the first zone. The invention is applicable to security modules provided in telephone terminals.

Description

1 A METHOD FOR THE PROTECTED MANAGEMENT OF A UNIT COUNTER AND A SECURITY MODULE IMPLEMENTING THE METHOD The object of the present invention is a method for the protected management of a unit counter located in memory, in particular a chip card in relationship with a terminal. It could nevertheless apply to any other type of memory.
The invention is particularly useful when it is a case of counting a very large number of units whilst preserving the storage capacity of the memory.
The storage capability of the memory (its suitability for being updated) is limited in time because of the technology used by the manufacturers of electrically erasable and programmable non-volatile memories (for example EEPROMs).
The manufacturers guarantee the good behaviour of the memory for a limited number of updates of the memory (an update comprises an erasure operation followed by a programming or writing). Beyond that, the memory may no longer be correctly erased or correctly programmed.
On average, the number of updates guaranteed by the memory manufacturers is around 100,000 per memory location. In the case of a unit counter, the problem consisting in preserving the storage capability of the said counter is all the more difficult to resolve since is high the number of units to be counted and is great the frequency of updating of the counter.
The invention will be described in particular in the case of an application to a chip card in the field of cardphones.
It is known, in the field of chip cards, that a transaction between a terminal and an external electronic purse is organised around a security module (SM) comprising a microprocessor. The module is generally integrated into the terminal.
The role of a security module is particularly to ensure the verification of the authentication of the electronic purse cards external to the terminal. In the context of cardphones, the electronic purse chip card is a phone card (not reloadable), the terminal is a cardphone (or telephone box) and the security module can itself for example be a chip card located in the terminal.
It should be noted that the set of commands of the component of the said security module is referred to as the "operating system".
The use of a security module makes it possible to give the operator of a cardphone the means of authenticating the phone cards which are inserted by the customers carrying the said phone cards. Thus fraudulent cards are rejected.
In addition to the authentication functions, the module proposes to the operator of a cardphone to manage, in a secure manner, a unit counter which records all the units consumed by the different holders of prepayment cards or phone cards during telephone communications made from the said cardphone.
This functionality opens the way to multioperator solutions where the issuer of phone cards (the operator) would not be the sole operator of the cardphone. For this purpose, provision is made for having, within the memory of the security module located in each cardphone, a unit counter dedicated to each operator.
Still in the context of cardphones, such a counter must be able to store 16 million units, which corresponds to a maximum number of telephone units able to be recorded at very highly frequented public places (such as airports) for measurements made over the average lifetime of the counters of a cardphone (approximately 3 years).
The updating of the said counter can also be required on several occasions during a telephone communication.
In order to store as many units using the counters of the prior art it would be necessary to use a 24-bit memory. However, in this case, the number of updates would exceed the storage capacity of this memory. This solution can therefore not be envisaged.
In the invention, provision has been made for remedying this problem by breaking down the unit counter into at least two main areas.
The first memory area of the counter (zone A) is considered to be a bit field. A consumed communication unit corresponds to each bit stored or "blown" or "written" or "switched on". A "token" is also spoken of to characterise a bit stored in area A.
A second, smaller, memory area (area whose size makes it possible to code the maximum value of the number of units to be stored.
gO.ego 20 These memory areas are memory areas of an electrically programmable and electrically erasable non-volatile memory.
With regard to area A and without going into the technology of the programming of memories, a memory location will be considered to be unavailable when a bit is stored therein. Hereinafter the term stored bit, "switched-on bit", blown bit or written bit will be used indifferently to mean that the memory locations are unavailable, and switched-off, not stored or not blown bit to mean that the locations are available (free).
30 By convention, it will be considered that a bit is switched on when its logic state is equal to 1, and that a bit is switched off when its logic state is equal to 0.
W:\mare\GABNODEL\22857-99.doc A switched-on bit will be made available (switched off) only upon the next erasure of the entire area A (switching off of all the bits making it up).
According to one aspect of the present invention there is provided a method for protected management of a unit counter in an electrically erasable and programmable memory, according to which the number of units consumed by users is recorded by means of a counter, said method including breaking down the unit counter into at least two memory areas including a first area in which at least one bit is stored by at least one consumed unit and a second area in which the value corresponding to total units consumed is stored, the second area being updated only when the number of units consumed exceeds or attains the number of not stored bits of the first area.
The units consumed may be recorded in the first area cyclically.
A cycle may correspond to a sequence of switching on the first bit from the first area to the last. It may end when all bits have been switched on.
oooo io: 20 An operation of recording n units consumed may comprise the following *"steps: reading the content of the first area and comparing the number of not stored bits in the first area with the number of consumed units to be recorded, if this number of not stored bits is greater than or equal to the number of units to be recorded, the bits to be recorded are stored in said first area if this number is less, L bits are stored in the first area and the :.00 remaining units are recorded in the second area by performing an 30 operation of updating this area, and the first area is erased.
An operation of updating the second area may comprise a step of writing in this second area a new coded counter value equal to the current value W:\madie\GABNODEL22857-99.doc 6 to which the number of stored bits in the first area and the remaining consumed units to be stored are added.
The updating of the second area may comprise a prior step of recording indicator information (C2) signifying that an updating is currently being carried out.
To improve security the unit counter may have an area (SB) for backing up the second area and these two areas may each have a field for recording a redundancy code (CR, SCR), for checking the integrity of the content of these two areas.
An operation of recording n units consumed may also comprise a prior step of verifying the state of the counter comprising the following operations: where the indicator information is indeed absent: verification of the validity of the fields containing the redundancy codes: where the fields are valid: .recording of the n units; 20 where the fields are not valid: detection of a fault and stoppage of the counter, where the indicator information is present: "activation of the recovery operation to re-establish the integrity of the contents of the counter.
An operation of updating the second area may then include the following steps: .recording the indicator information (C2), .copying, in the backup area (SB) the coded value (VO) of the 30 counter of the second area .recording the new coded value of the counter in the second area W:\.marie\GABNODEL%22857-99.doc 7 erasing the indicator information (C2).
The recovery operation may consist in determining at which step the abnormality occurred (a cutting off of the current), and then performing, according to the circumstances determined, the steps of updating the backup area (SB) and/or of the second area and/or of the first area Advantageously, the determination of the step at which the abnormality occurred consists in reading the content of each of the areas in order to determine whether the abnormality occurred during the updating of the backup area case 1, during the updating of the second area case 2, during the erasure of the first area case 3, between the updating of the second area and the backup area case 4, or after the updating of these two areas, case In practical terms, the recovery may consist in case 1 in: copying the value contained in the second area into the backup area (SB), updating the second area by recording the new value which is 20 equal to the old one to which the content of the first area is added, S- erasing the first area erasing the indicator information (C2); 08 in case 2 in: copying into the second area the value contained in the backup area by adding the value contained in the first area erasing the first area erasing the indicator information (C2); in case 3 in: .erasing the content of the first area (A) Itlt S: 30 erasing the indicator information (C2); in case 4 in: implementing the steps according to case 2; in case 5 in: implementing the steps according to case 3.
W:\marie\GABNODEL\22857-99.doc Advantageously the method may also comprise a step of recording information signifying a failure (C1) in reading or writing to the first area (A) deactivating the said area when it has not been possible to read or write in a.
e o W:\marie\GABNODEL\22857-99.doc this area, and a step of reading this information at each new cycle, the units consumed then being directly recorded in a coded manner by an operation of updating the second area The information (C2) indicating a current updating and the information signifying a failure (Cl) in reading and writing to the first area are recorded in a third area of the said counter.
The invention also relates to a security module implementing the method according to the invention.
Such a module can be located in a terminal managing units consumed by the users of the terminal, and can also be in particular a telephony terminal.
Other particularities and advantages of the invention will emerge from a reading of the description below, which is given by way of non-limitative example with regard to the accompanying drawings, in which: Figure 1 schematically depicts the unit counter according to the invention; Figure 2A depicts the steps of recording n units according to the method of the invention; Figure 2B depicts the prior verification step of Figure 2A; Figure 3 depicts the steps of recording the units in the second area (updating) according to a preferred embodiment; Figure 4 depicts the steps of the recovery mechanism; Figure 5 illustrates a variant in the according to the invention.
The method described hereinafter relates to a counter protected against fraud (intrusion or tampering). The method provides, when the counter is saturated, for the latter to stop and informs the application using it of this fact.
In the example application given below, and which corresponds to the case of cardphones referred to in the introduction, the units consumed are telephone units and the sizes of areas A and B are obviously defined here for the purpose of example.
It is pertinent to consider an area A of 168 bits and an area B of 24 bits (24 bits in fact making it possible to store 16,777,215 units).
Area B is in turn splitin order to overcome problems of cutting off of current during the updating of the counter (cf Figure This case is detailed below.
As already mentioned, the operating life of the counter is directly related to the number of updates (erasure and writing). It is therefore essential to find a counter structure and a counting method which reduces the number of updates.
In the context of the invention, the storage of the communication units consumed takes place as follows.
It is assumed that the duration of a telephone communication is divided into time intervals. The duration of a time interval corresponds to a fixed number of consumed units. In this example, the recording cycle for the consumed units is defined by these time interval.
At the start of each time range, the number of units consumed must be stored in the security module.
Thus, in the case of a communication requiring 13 units in total and where an elementary time interval comprises 3 units, the unit counter within the security module will be updated five times during the communication and a sixth time at the end of the communication time.
The method of managing the unit counter is defined by steps 10, 20, 30, 40, 50 and 60 illustrated by Figure 2A.
A step prior to the recording of the units consists in checking the state of -the counter (step detailed from Figure 2B.
At each request to store consumed units, the operating system of the security module managing the counter checks that the number of switched-off (available) bits in the area A is greater than or equal to the number of units to be stored (cf Figure 2A).
In the affirmative, if n units have been consumed, n bits available in the area A are blown (provision can be made, by way of a variant according to the invention, for n bits available in the area A to be blown for n packets of consumed units).
This operation requires no erasure and only one action of writing amounts to blowing certain bits in the area A.
As soon as the number n of consumed units to be stored exceeds the number of available bits L remaining in the area A, the number of available bits L in the area A are switched off and the remaining consumed units n-L are counted in the area B. A new coded value taking account of these remaining units is recorded in the area B by an updating operation as follows: The new value of the area B (the total number of units) is equal to the current value of the area B to which it is necessary to add the number of bits blown in the area A (value VA) and the number n-L of units to be stored.
The updating of the area B gives rise to a reading thereof followed by an erasure and writing.
The area A for its part is entirely erased (all the bits are once again available).
It would also be possible, according to the invention, where the number of bits available in the area A is insufficient, to make provision for supplementing this area A, and then updating the area B by storing as a new value the previous value to which the content of the area A is added, and then erasing the area A and finally storing in the area A the remaining units consumed (instead of storing them in the area B) This variant does indeed remain within the scope of the principle of the invention.
With this method, although the frequency of storage of consumed units is high, the frequency of erasure of the areas A and B is much lower. The same applies to the frequency of writing to the different memory locations making up the area A and consequently area B.
The frequency of erasing and writing to the memory locations making up the unit counter is directly related on the one hand to the size of the area A and on the other hand to the granularity used for breaking down a communication (granularity means an elementary communication period corresponding to a number of units predetermined by the operator).
It should be noted that, in order to know at any time the total number of units consumed by means of the cardphone, it suffices to add, to the current value of the area B, the number of blown bits in the area A.
In the context of the invention, it is proposed to use an additional functionality for extending the service life of the unit counter.
This is because it is known that a bit field is subdivided into sets of consecutive eight bits known as bytes. As is described above, the area A is erased as frequently as the area B. However, for programming facilities or constraints related to the component used, blowing a bit within a byte may give rise to a new blowing of bits already blown within the said byte.
Thus a byte belonging to the area A can be written to more often (that is to say its bits blown) than a byte making up the area B. The area A then being more stressed than the area B, the operating life of the counter is therefore directly related to the storage capacity of the area A.
To overcome this problem, it is proposed, in the context of the invention, to provide, within the unit counter, an additional memory area known as area C comprising at least one location for storing the information C1 (cf Figure 1 and Figure This variant of the method is illustrated by Figure In this variant, the step of verifying the state of the counter, prior to the recording of the consumed units, includes a reading of the area C in order to check whether the information Cl exists.
This information C1 is written as soon as a memory location in the area A can no longer be erased or written to (since provision is made in a conventional manner to check the correct execution of a writing or erasure in the memory). In this case the operating system of the security module decides to deactivate the area A (step 42) and to work only with the area B (step With each request to store consumed units the area B is erased and rewritten.
Quite obviously, the storage capacity of the area B will in turn be rapidly impaired but the counter can continue to be used for some time more.
Moreover, in order to increase the security of the management of the counter, it is possible to add a mechanism for guaranteeing a coherent state of the said counter, if a cutting off of current occurs during the storage operation. It is not pertinent to envisage an operation of pulling out the security module since generally this is fully integrated into the cardphone.
Having said this, the case of pulling out would be managed in the same way.
In the context of the invention, in order to install such a mechanism (hereinafter referred to as a recovery mechanism), the area B is provided with a redundancy code. In addition the area B is duplicated (cf Figures 1, 2B and 3).
The area SB thus defined is used as a backup for the previous one. It is updated before any change to the area B.
The area SB contains at any time the value of the area B, preceding the last updating of the said area.
An additional byte within the area C is used to indicate whether the storage operation has been partially or entirely performed; this is the indicator information C2.
Thus, at the start of processing of a request to store units, C2 is stored. It is erased once this same storage operation has been fully carried out. To avoid excessively stressing the byte C2, the latter is used (written and then erased) only in the case where the number of units to be stored is greater than the number of bits still available in the area A.
If this is not the case, the byte C2 is unused.
Amongst the available bits in the area A, n bits are switched on. The storage operation is terminated. It is considered that the loss of information is minimal.
Where the number of bits available within the area A is insufficient, it is essential to activate the procedure making it possible subsequently to actuate the recovery mechanism where there is an abnormality.
This is because, if a cutting off of current occurs after the area B has been erased and not once again rewritten to, all the information in the unit counter would be lost.
The step prior to any recording of a check on the counter (Figure 2B) will now be detailed.
The system checks the absence of the indicator C2 (11).
If the indicator C2 is absent the system checks the fields containing the redundancy codes.
If these fields are valid the n units consumed are recorded.
If the fields are not valid there is a detection of a fault, a stoppage of the counter (and possibly an alarm).
In the case where the indicator exists there is a use of the recovery mechanism detailed from the figure.
The operation of updating the area B according to this variant (cf Figure 3) will now be detailed.
As can be seen in Figure 3 (steps 51 to 55), the indicator C2 is first of all written, and the current value, for example VO, of the counter coded in the area B is copied into the area SB. Then the area B is updated (new value Vl equal to the current value to which the number of bits blown in the area A and the n- L units remain to be stored are added). The area A is next erased and the indicator C2 is then erased to indicate that the storage operation has been performed entirely with success.
In the description given, everything occurs normally, there has not been any cutting off of power during the storage operation.
Now, if a cutting off has occurred, the activation of the recovery mechanism is described below (cf Figure 4).
This is activated at the time of the next request to store whether or not the number of bits available within the area A is sufficient to store the n units.
If the indicator C2 is switched on, then, before storing the consumed units, the recovery mechanism is actuated by the operating system of the security module.
Several cases may occur. This is because the cutting off may have occurred during the updating of the area SB (case during the updating of the area B (case during the erasure of the area A (case 3) or between the said updatings (case 4 and case The recovery procedure must be distinct according to the different cases listed above.
Where the area SB has not been able to be correctly updated (case the redundancy code SCR thereof is not in conformity. The value VO contained in the area B is then copied into the area SB, the area B is then updated (new value Vl equal to the current value VO of the area B to which it is necessary to add the number of blown bits in the area A, value VA).
Only the number of units n-L which were to be stored during the interrupted storage is lost.
The area A is then erased and the indicator C2 too.
In the case where the area SB has been correctly updated but the area B has not been correctly updated (case the redundancy code SCR of the area SB is correct. On the other hand, the redundancy code CR of the area B is incorrect.
The area B is then updated as follows: The new value Vl of the area B is equal to the value VO of the area SB, to which the number of blown bits in the area A, that is to say a value VA, Vl VO VA, is added.
In this case as in the previous one, the only information lost corresponds to the number n-L of units remaining which were to be stored during the interrupted storage. The area A is then erased and the indicator C2 too.
By examining only the redundancy codes of the area SB and of the area B, it is impossible to know whether the cutting off of current took place between the updating of the areas SB and B (case 4) or after the updating of these two areas (case This is because in both cases the redundancy codes are both correct.
To distinguish cases 4 and 5, the operating system of the security module compares the values of the areas SB and B; V(SB) If the area SB contains the same value as the area B then the cutting off of the power must have taken place between the updating of the areas SB and B (case The treatment of the recovery mechanism is then identical to that described above (case 2).
If this is not the case, the area B must therefore have been correctly updated (case It is then necessary to erase the area A and the indicator C2. No information has been lost in this case.
The case where the cutting off of current took place during the erasure of the area A (case 3) remains to be dealt with. This case is similar to the previous case (case Once the recovery mechanism has been executed, the n units to be stored are stored in accordance with the description of the invention given above.

Claims (12)

1. A method for protected management of a unit counter in an electrically erasable and programmable memory, according to which the number of units consumed by users is recorded by means of a counter, said method including breaking down the unit counter into at least two memory areas including a first area in which at least one bit is stored by at least one consumed unit and a second area in which the value corresponding to total units consumed is stored, the second area being updated only when the number of units consumed exceeds or attains the number of not stored bits of the first area.
2. A method of managing a counter according to Claim 1, characterised in that the units consumed are recorded in the first area cyclically.
3. A management method according to Claim 1 or 2, characterised in that an operation of recording n units consumed comprises the following steps: reading the content of the first area and comparing the number of not stored bits in the first area with the number of consumed units to be 2 recorded; if this number of not stored bits is greater than or equal to the number of units to be recorded, the bits to be recorded are stored in the said S- first area; S- if this number is less, L bits are stored in the first area and the remaining units are recorded in the second area by performing an operation of updating this area, and the first area is erased. i A management method according to any one of Claims 1 to 4, characterised in that an operation of updating the second area comprises a step of writing in this second area a new coded counter value equal to the current 30 value to which the number of stored bits in the first area and the remaining consumed units to be stored are added. °consumed units to be stored are added. W:Vnarie\GABNODEL\22857-99.doc 21 A management method according to Claim 4, characterised in that the updating comprises a prior step of recording indicator information signifying that an updating is currently being carried out.
6. A management method according to any one of the preceding claims, characterised in that the unit counter has an area for backing up the second area and in that these two areas each have a field for recording a redundancy code, for checking the integrity of the content of these two areas.
7. A management method according to Claim 4 or 5, characterised in that an operation of recording n units consumed also comprises a prior step of verifying the state of the counter comprising the following operations: where the indicator information is indeed absent: verification of the validity of the fields containing the redundancy codes: S where the fields are valid: recording of the n units; S where the fields are not valid: detection of a fault and stoppage of the counter, 20 where the indicator information is present: activation of the recovery operation to re-establish the integrity of 0. 0the contents of the counter.
8. A management method according to Claim 6 or 7, characterised in that an operation of updating the second area then includes the following steps: recording the indicator information, copying, in the backup area, the coded value of the counter of the second area, recording the new coded value of the counter in the second area, 30 erasing the indicator information.
9. A management method according to Claim 8, characterised in that the recovery operation consists in determining at which step the abnormality occurred, and then performing according to the circumstances determined, the W:nmarie\GABNODEL\22857.99.doc 22 steps of updating the backup area and/or of the second area and/or of the first area. A management method according to Claim 9, characterised in that the determination of the step at which the abnormality occurred consists in reading the content of each of the areas in order to determine whether the abnormality occurred during the updating of the backup area, case 1, during the updating of the second area, case 2, during the erasure of the first area, case 3, between the updating of the second area and the backup area, case 4, or after the updating of these two areas, case S in case 1. in: copying the value contained in the second area into the backup area, updating the second area by recording the new value which is equal to the old one to which the content of the first area is added, erasing the first area, erasing the indicator information; S in case 2 in: copying into the second area the value contained in the backup 20 area by adding the value contained in the first area, erasing the first area, erasing the indicator information; in case 3 in: erasing the content of the first area, erasing the indicator information; in case 4 in: implementing the steps according to case 2; 0 in case 5 in: implementing the steps according to case 3.
11. A management method according to any one of the preceding claims, characterised in that it comprises the step of recording information signifying a failure in reading or writing to the first area deactivating the said area when it has not been possible to read or write in this area, and a step of reading this W:Xmarie\GABNODEL22857.99.doc o, oo I• r o r i 23 information at each new cycle, the units consumed then being directly recorded in a coded manner by an operation of updating the second area.
12. A management method according to Claim 5 or Claim 11, characterised in that the information indicating a current updating and the information signifying a failure in reading and writing to the first area are recorded in a third area of the said counter.
13. A method for protected management of a unit counter in an electrically erasable and programmable memory.
14. A security module implementing the method according to any one of the preceding claims.
15. A security module according to Claim 14, characterised in that it is installed in a terminal managing the consumed units, notably a telephony terminal. DATED: 2 September, 2003 PHILLIPS ORMONDE FITZPATRICK Attorneys for: SGemplus S.o 9o so 0
AU22857/99A 1998-03-20 1999-02-10 Method for securely managing a units counter and security module implementing said method Ceased AU766930B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR98/03483 1998-03-20
FR9803483A FR2776453B1 (en) 1998-03-20 1998-03-20 METHOD FOR SECURE MANAGEMENT OF A UNIT COUNTER AND SECURITY MODULE IMPLEMENTING THE METHOD
PCT/FR1999/000292 WO1999049646A1 (en) 1998-03-20 1999-02-10 Method for securely managing a units counter and security module implementing said method

Publications (2)

Publication Number Publication Date
AU2285799A AU2285799A (en) 1999-10-18
AU766930B2 true AU766930B2 (en) 2003-10-23

Family

ID=9524318

Family Applications (1)

Application Number Title Priority Date Filing Date
AU22857/99A Ceased AU766930B2 (en) 1998-03-20 1999-02-10 Method for securely managing a units counter and security module implementing said method

Country Status (9)

Country Link
EP (1) EP1064776B1 (en)
JP (1) JP2002508632A (en)
CN (1) CN1149825C (en)
AT (1) ATE367712T1 (en)
AU (1) AU766930B2 (en)
CA (1) CA2323712A1 (en)
DE (1) DE69936574T2 (en)
FR (1) FR2776453B1 (en)
WO (1) WO1999049646A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6596388B1 (en) 2000-11-29 2003-07-22 Psiloquest Method of introducing organic and inorganic grafted compounds throughout a thermoplastic polishing pad using a supercritical fluid and applications therefor

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0626664A1 (en) * 1993-04-28 1994-11-30 Gemplus Card International Communication system using IC cards

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2591008B1 (en) * 1985-11-30 1991-05-17 Toshiba Kk PORTABLE ELECTRONIC DEVICE
FR2638868B1 (en) * 1988-11-09 1990-12-21 Bull Cp8 SECURE DOWNLOAD SYSTEM FOR A TERMINAL AND METHOD IMPLEMENTED
FR2742959B1 (en) * 1995-12-21 1998-01-16 Alcatel Mobile Comm France METHOD FOR SECURING THE USE OF A TERMINAL OF A CELLULAR RADIOCOMMUNICATION SYSTEM, CORRESPONDING TERMINAL AND USER CARD

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0626664A1 (en) * 1993-04-28 1994-11-30 Gemplus Card International Communication system using IC cards

Also Published As

Publication number Publication date
DE69936574D1 (en) 2007-08-30
WO1999049646A1 (en) 1999-09-30
EP1064776B1 (en) 2007-07-18
JP2002508632A (en) 2002-03-19
EP1064776A1 (en) 2001-01-03
CA2323712A1 (en) 1999-09-30
FR2776453A1 (en) 1999-09-24
AU2285799A (en) 1999-10-18
CN1293862A (en) 2001-05-02
DE69936574T2 (en) 2008-04-10
ATE367712T1 (en) 2007-08-15
CN1149825C (en) 2004-05-12
FR2776453B1 (en) 2000-05-19

Similar Documents

Publication Publication Date Title
US7035762B2 (en) System and method for tracking utilization data for an electronic device
US6045050A (en) Prepaid or stored-value card with means for preventing useful fraudulent alteration
KR100446032B1 (en) Method for operating a control device having a programmable memory unit
US6324661B1 (en) Method for managing data integrity faults in a re-writeable memory
US5504701A (en) Memory card
US6535997B1 (en) Data integrity in smartcard transactions
US6202176B1 (en) Method of monitoring the correct execution of software programs
JP2000076139A (en) Portable information storage medium
US7017825B2 (en) IC card and data processing method therefor
JP2002351685A (en) Data updating method and controller for nonvolatile memory
US20070101090A1 (en) Method for carrying out writing updating and allocating memory applied to file writing on a memory medium such as a chip card
US20020027508A1 (en) Power failure managing device and method for managing a power failure
AU766930B2 (en) Method for securely managing a units counter and security module implementing said method
US5812565A (en) Method for automatic recognition and correction of an invalid data set and system for carrying out the method
US6941413B2 (en) Nonvolatile memory, its data updating method, and card reader equipped with such nonvolatile memory
CN1418356A (en) Method for protecting against theft of pin number in multi-application smart card (S) and chip card (S) implementing said method
US7353348B2 (en) Nonvolatile memory and card reader provided with the same
JP2003036209A (en) Nonvolatile memory and data rewriting method thereof
CA2225786A1 (en) Process and device allowing a fixed program to be changed.
JP6233134B2 (en) Electronic information storage medium, information processing method, and information processing program
US20070274302A1 (en) Data Storage Device, Memory Managing Method, and Program
US6415370B1 (en) Semiconductor integrated circuit
KR100374071B1 (en) Data transfer system with a terminal and a portable data carrier and process for reloading the portable data carrier by means of the terminal
US7849279B2 (en) Method for the secure updating data areas in non volatile memory, device to perform such a method
US6959228B2 (en) Method of protecting data stored in a memory of welding controller

Legal Events

Date Code Title Description
FGA Letters patent sealed or granted (standard patent)