Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
  • G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
  • G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
  • G06K19/067—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
  • G06K19/07—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L61/00—Network arrangements, protocols or services for addressing or naming
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L61/00—Network arrangements, protocols or services for addressing or naming
  • H04L61/45—Network directories; Name-to-address mapping
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/2866—Architectures; Arrangements
  • H04L67/30—Profiles
  • H04L67/306—User profiles
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
  • H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
  • H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
  • H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
  • H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/40—Network security protocols
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/01—Protocols

Definitions

• the invention relates to a method of registering a user on a directory server of a network, in particular of the Internet type and / or of locating a user on such a network, using smart cards connected. terminals equipped with a smart card reader.
• the invention also relates to a smart card for implementing this method.
• Internet network In the context of the invention, the term “Internet network” must be understood in its most general sense. It concerns, in addition to the Internet itself, corporate or similar private networks, of the so-called “intranet” type, and networks extending them outwards, of the so-called “extranet” type, and generally any network in which data exchanges are carried out according to an Internet type protocol. In what follows such a network will be called generically "Internet network”.
• terminal should be understood in a general sense.
• the aforementioned terminal can in particular be constituted by a personal computer operating under various operating systems, such as WINDOWS or UNIX (both being registered trademarks). It can also consist of a workstation, a laptop or a so-called dedicated card terminal.
• dedicated Internet terminals having only a minimum of own IT resources, or even no permanent storage means, of the hard disk type.
• OSI Open System Interconnection
• ISO Open System Interconnection
• a given layer offers its services to the layer immediately above it and requires other services from the layer which is immediately below it, via appropriate interfaces.
• Layers communicate using primitives. They can also communicate with layers of the same level. In some architectures, several layers may be nonexistent.
• Internet user uses Internet terminals which have a fixed “IP” address, or variable when using an Internet service provider, generally known by the acronym "ISP” (for "Internet Service Provider).
• ISP Internet Service Provider
• a first drawback is constituted by the fact that an "IP" address is not associated with an Internet user, but with a computer system connected to the Internet. Even if the computer system has a fixed address, there is no a priori correspondence between an "IP” address and a natural person.
• the user connects to so-called “IRC” servers (for "Internet Relay Chat”).
• IRC Internet Relay Chat
• These servers associate an identifier of the Internet user, known as "UserlD”, with his "IP” address.
• the identifier is generally constituted by its e-mail address, or "e-mail” according to English terminology, but any pseudonym can also be used.
• the servers “IRC” will be called more generally “directory servers", which will simply be called “SA”.
• One of the first constraints encountered is therefore the location of an Internet user on the Internet, that is to say the establishment of a correspondence between a fixed identifier and an "IP" address.
• the location of an Internet user on the Internet that is to say the establishment of the aforementioned correspondence, presupposes that he has been previously registered in the directory server "SA".
• the address of an Internet user on the Internet therefore consists of the pair: "Address SA” - "UserlD”.
• "subscriber” means a “physical” entity. By extension, it can be a
• a user indicates his location on the Internet by a voluntary act by supplying the server (directory) with his current "IP” address using a registration protocol which will be called below " PE ".
• Subscriber Profile is generally used to denote all the information which is supplied to the directory server "SA" when the subscriber (internet user) is registered, and for example: - l address of the "Directory Server"("SA”); the subscriber identifier ("UserlD”); subscribers (identified by their "UserlD”) with which the user accepts to communicate or to whom he wishes to notify his location in the network; and the information it accepts to make public on the directory server (for example: name, nationality, contacts sought, etc.). ;
• IP intellectual property
• SA directory server
• PL location protocol
• the subscriber profile "PA” is, by nature, specific to the subscriber, but may also depend on the characteristics of the directory server, in particular on the type and nature of the information which must be supplied to it or that he can accept.
• the "PL” protocol is, like the protocol
• PE of the so-called owner type, since it addresses a directory server which is a priori non-standardized or which meets universally recognized standards.
• the terminal used by any subscriber is also specific, in the sense that, if this subscriber wishes to change terminal, he must find on the new terminal used, at least the software or software associated with the "PL protocol ", admitting that it has carried out a preliminary phase of registration on the first terminal, by appealing to the "PE” protocol and by providing its "PA” profile to the "SA” directory server. Indeed, the presence of the "PL” protocol will be necessary to address the directory server and have access to the data recorded in it, in particular the "IP” addresses of the correspondents sought and their "SA” profiles.
• a smart card-based application system generally has the following main components: a smart card; a host system constituting the aforementioned terminal; - a communication network, namely the Internet network in the preferred application; and an application server connected to the Internet.
• FIG. 1A schematically illustrates an example of architecture of this type.
• the terminal for example a personal computer, includes a smart card reader 3. This reader 3 may or may not be physically integrated into the terminal 1.
• the smart card 2 has an integrated circuit 20 whose input-output connections are flush with the surface of its support to authorize a supply of electrical energy and communications with the terminal 1.
• the latter comprises access circuits 11 to the Internet network RI. These circuits can be constituted by a modem to connect to a switched telephone line or to a higher speed communication channel: integrated services digital network ("ISDN”), cable or satellite links, etc.
• ISDN integrated services digital network
• the circuits 11 allow connection to the Internet RI network, directly or via an Internet service provider ("Internet Service Provider" or "ISP", according to English terminology).
• ISP Internet Service Provider
• Terminal 1 naturally includes all the circuits and organs necessary for its proper functioning, and which have not been shown for the purpose of simplifying the drawing: central unit, random access memory and fixed memory, mass memory with magnetic disk, floppy drive and / or CédéRom, etc.
• the terminal 1 is also connected to conventional peripherals, integrated or not, such as a display screen 5, a keyboard 6a and a mouse 6b, etc.
• the terminal 1 can be put in communication with servers or all computer systems connected to the RI network, of which only one, 4, is illustrated in FIG. 1 A.
• the access circuits 11 put the terminal 1 in communication with the servers 4 thanks to a particular software 10, called "WEB” browser, or “browser” according to English terminology. This allows access to various applications or data files distributed over the entire RI network, generally in a "client-server” mode.
• communications on networks are carried out in accordance with protocols meeting standards comprising several superimposed software layers.
• communications are carried out according to protocols specific to this type of communications, which will be detailed below, but which also include several software layers.
• the communication protocol is chosen according to the application more particularly targeted: interrogation of "WEB” pages, file transfers, electronic mail (e-mel, or “e-mail” according to Anglo-Saxon terminology), forums or “news”, etc.
• FIG. 1 C The logical architecture of the system comprising a terminal, a smart card reader and a smart card is represented diagrammatically in FIG. 1 C. It is described by the ISO 7816 standard, which itself comprises several sub-assemblies:
• FIG. 1B on the terminal side 1, only the layers meeting the ISO 7816-3 standard, referenced 101, and a "APDU" order manager (ISO 7816-4 standard), referenced 102, have been represented.
• the layers corresponding to ISO 7816-3 are referenced 200 and the "ADPU” order manager (ISO 7816-4 standard) is referenced 201.
• the applications are referenced A- ⁇ ,. .., Aj, ..., An; n being the maximum number of applications present on the smart card 2.
• An application, Aj, present in the smart card 2 dialogues with the terminal 1 by means of a set of orders.
• This game typically presents writing orders and reading orders.
• the order format is known by the English abbreviation of "APDU” (for "Application Protocol Data Unit”). It is defined by the aforementioned ISO 7816-4 standard.
• a command “APDU” is noted “APDU.command” and a response “APDU” is noted “APDU.response”.
• terminal 1 only dialogs with one application at a time.
• a new “APDU SELECT” has the effect of abandoning the current application and choosing another one.
• the “APDU” manager software sub-assembly 201 makes it possible to choose a particular application A ⁇ in the smart card 2, to store the application thus chosen, and to transmit and / or receive “APDUs” to and from this application. . In summary of what has just been described, the selection of an application
• the invention aims to overcome the drawbacks of the methods and devices of the known art, and some of which have just been recalled, while meeting the needs which are felt.
• the applications necessary for the implementation of the recording (“PE”) and location (“PL”) protocols, as well as the data characterizing the subscriber profile (“ PA ") are files stored, in whole or in part, in memories of a smart card, the executable type files being standard applications of the aforementioned" GCA "type.
• the smart card behaves like a server / client of the "WEB" type for the terminal associated with it.
• a specific communication software layer is provided in the smart card and its counterpart in the terminal.
• the term “specific” should be understood as specific to the process of the invention. Indeed, these layers of communications, called specific, are trivialized whatever the application considered. In particular, they are independent of the applications necessary for the implementation of the "PE” and “PL” protocols. They only intervene in the two-way data exchange process between the smart card and the terminal, on the one hand, and the smart card and the network, on the other hand.
• the specific communication software layers notably comprise software components, called “intelligent agents", allowing in particular protocol conversions.
• the intelligent agents will be referred to hereinafter more simply as “agents”.
• agents paired in the respective specific communication layers associated with the terminal and the smart card.
• sessions are established between paired agents.
• the method of the invention makes it possible to activate applications of conventional type, that is to say of the aforementioned "CGA” type, located in a smart card, without having to modify them in any way.
• one or more particular intelligent agents known as script translators are provided, which receive requests from a browser and translate them into "APDU" orders understandable by the "CGA” type application. Therefore, a function similar to that known elsewhere under the name "CGI” is implemented in the smart card in conventional "WEB” servers. This function makes it possible to implement an application in the smart card by an Internet protocol of the "HTTP" type.
• the main object of the invention is therefore a method of putting a first user into contact with at least one directory server, with a view to registering and / or locating at least one second user on a network in particular.
• connection being effected by means of a terminal provided with a smart card reader and at least one piece of software called recording and / or location software, said terminal being connected to each of said directory servers via said Internet type network and communicating with said smart card according to a first determined protocol, characterized in that at least one of said pieces of software is stored in said smart card; in that this smart card comprising a first piece of software, forming a specific communication protocol layer, and said terminal comprising a second piece of software, forming a specific communication protocol layer, said first and second pieces of software further comprise at least one pair of first paired software entities, each of said entities cooperating with each other so as to allow the establishment of a bidirectional data exchange session between at least said terminal and said smart card, and / or said Internet-type network, so that said smart card offers the functionality of a "WEB" client / server; in that said smart card comprises at least a second software entity cooperating with said second specific piece of software so that said smart card offers a so-called "CGI" gateway interface functionality
• the invention also relates to a smart card for the implementation of this method.
• FIGS. 1A and 1B illustrate the hardware and logic architectures, respectively, of a example of a smart card-based application system connected to an Internet network according to known art
• FIG. 2 schematically illustrates an example of application system based on smart card according to the invention, the latter acting as client / server "WEB", according to one aspect of the invention
• Figure 3 is a state diagram of a session between software entities called intelligent agents, according to one aspect of the invention
• FIG. 4 ilii stre in a simplified manner the logical architecture of a system according to the invention in which the smart card comprises intelligent agents
• FIG. 5 illustrates in a simplified way the logical architecture of a system according to another aspect of the invention according to which the smart card comprises intelligent agents translating scripts, so as to implement a so-called "CGI"function
• FIG. 6A schematically illustrates a first step in the phase of registering an Internet user on a directory server
• - Figures 6B and 6C illustrate examples of "HTLM" forms usable for this recording phase
• FIG. 6D schematically illustrates the main steps of the registration phase of a user on a directory server
• FIG. 6E schematically illustrates the main steps of the registration phase of an Internet user with several directory servers
• FIG. 7 schematically illustrates the main steps of the phase of locating a user on the Internet by interrogating a directory server
• FIG. 8 schematically illustrates a smart card architecture according to the invention having a portable multi-directory database functionality.
• FIG. 2 schematically illustrates an example of a smart card-based application system according to a first aspect of the invention, enabling the latter to act as a client / server "WEB.
• the terminal 1 comprises circuits 11 for access to the RI network, consisting for example of a modem. These circuits group together the lower software layers, Ci and C2, which correspond to the "physical" and “data link” layers. Also shown are the upper layers, C3 and C4, which correspond to the "network addressing"("IP", in the case of the Internet) and "transport"("TCP") layers.
• the upper application layer (“http”, “ftp”, "e-mail”, etc.) has not been shown.
• the interface between the lower layers, Ci and C2, and the upper layers, C3 and C4, is constituted by a software layer generally called "low layer driver".
• the upper layers, C3 and C4, rely on this interface and are implemented by means of specific function libraries or network libraries 14, with which they correspond.
• TCP / IP is implemented by means of libraries known as “sockets”.
• This organization allows a browser 10 to make requests to a server 4, for consulting "WEB” pages (“HTTP” protocol), for transferring files (“FTP” protocol) or sending electronic mail ( "e-mail” protocol), in a completely classic way in itself.
• HTTP HyperText Transfer Protocol
• FTP Transfer Protocol
• e-mail electronic mail
• the terminal 1 also includes a card reader 3, integrated or not.
• the card reader 30 also includes two lower layers, CC1 (physical layer) and CC2 (data link layer), playing a role similar to layers Ci and C2.
• the software interfaces with the layers CC1 and CC2 are described, for example, by the specification "PC / SC" ("part 6, service provider").
• the layers themselves, CC1 and CC2 are in particular described by ISO standards 7816-1 to 7816-4, as has been recalled.
• An additional software layer 16 forms the interface between the application layers (not shown) and the lower layers, CC1 and CC2.
• the main function assigned to this layer 16 is a multiplexing / demultiplexing function.
• the communications with the smart card 2a take place according to a paradigm similar to that used for the manipulation of files in an operating system of the "UNIX" type (registered trademark): OPEN ("OPEN”), READ (“READ "), WRITE, CLOSE, etc.
• OPEN OPEN
• READ READ
• WRITE WRITE
• CLOSE CLOSE
• CCai physical layer
• CCa2 data link layer
• the specific layer 13 interfaces with the "low layer drivers” 15, with the libraries 14 of the network layers, C3 and C4, and with the protocol layers of the card reader 3, that is to say the layers lower, CC1 and CC2, via the multiplexing layer 16.
• the specific layer 13 allows the transfer of network packets to and from the smart card 2a. In addition, it adapts existing applications such as the Internet browser 10, e-mail, etc., for uses implementing the smart card 2a.
• the specific layers, 13 and 23a are subdivided into three main software elements: a module, 130 or 230a, for transferring blocks of information between layers 13 and 23a, via the conventional layers CC1, CC2, CCai and CCa2; one or more pieces of software, called "intelligent agents", 132 or 232a, which perform, for example, protocol conversion functions; and a specific configuration management module, 131 and 231a, respectively; module which can be likened to a particular intelligent agent.
• agents intelligent agents
• CCa2 ensure the exchange between the smart card 2a and the terminal 1.
• the ISO 7816-3 protocol will preferably be used, in block mode.
• each protocol layer is associated with a certain number of primitives which allow the exchange of data between layers of the same level and from one layer to another.
• the primitives associated with the layer of level two are of the type "data request"(" ⁇ ata.request”) and “data sending" by card ⁇ "Data.response”), as well as “data confirmation” ⁇ "Data.confirm”), etc.
• the layers 13 and 23a are responsible for the dialogue between the smart card 2a and the host, that is to say the terminal 1.
• These layers allow the exchange of information between a user (not shown) of terminal 1 and the smart card 2a, for example via drop-down menus in the form of hypertext in "HTML" format. They also allow the setting up of a configuration suitable for the transmission and / or reception of data packets.
• the layers include three separate entities.
• the first layer, 130 or 230a is essentially constituted by a software multiplexer. It allows the exchange of information between the smart card 2a and the host terminal 1, in the form of protocol data units. It plays a role similar to that of a data packet switch. These units are sent or received via the level two layer (data link layer).
• This particular communication protocol makes it possible to put at least one pair of "agents" into communication.
• the first agent of each pair, 132 is located in layer 13, on the terminal side 1, the second, 232a, is located in layer 23a, on the smart card side 2a.
• a link between two "agents" is associated with a session, which can be called "S-Agent".
• a session is a two-way data exchange between these two agents. If one or other of the layers, 13 and 23a, comprises several agents, the agents of the same layer can also establish sessions with each other and / or with the modules 131 and 231a, which constitute particular agents.
• an agent is an autonomous software entity which can perform all or part of the functions of the layers of levels three and four, depending on the configuration implemented by the terminal 1. Agents are associated with particular properties or attributes. To fix the ideas, and by way of nonlimiting example, the following six properties are associated with the agents:
• agent There are two main categories of agents: "server” type agents, which are identified by a fixed reference, and type agents
• client which are identified by a variable reference, which can be described as ephemeral, delivered by the configuration management module, 131 or
• the agents communicate with each other using an entity called “protocol data units” or “pdu” (for "protocol data unit”, according to English terminology) constituting a destination reference and a source reference.
• pdu for "protocol data unit”, according to English terminology
• pdu SmartTP pdu
• Smart Card chip card
• a “SmartTP pdu”, or more simply “pdu” below, includes a source reference, a destination reference, a set of bits constituting flags or “flags” which specify the nature of the "pdu”, and data optional: - the flag “OPEN” (open) is positioned to indicate the opening of a session; - the "CLOSE” flag indicates the end of a session; and
• the "SmartTP” entity checks the existence of the destination agent and switches a packet to it.
• An agent session "S-Agent” has three remarkable states, namely: - a disconnected state: no session is opened with another agent
• a session is opened with another agent, an "S-Agent" session being identified by a pair of references;
• a new instance of a client agent is created (chip card or terminal side), this agent being identified by a temporary pseudo-unique reference;
• the client agent issues a "pdu" to a server agent (whose reference is known elsewhere) with the "OPEN” flag set and the client agent goes into the connected or blocked state depending on the value of the "BLOCK 'flag; and - the server agent receives the" pdu "with the" OPEN "flag and goes to the connected state
• the mechanism for closing a session is as follows: - an agent issues a "pdu” with the "CLOSE” flag set (and which possibly includes data; and - the other agent receives a "pdu” with the "CLOSE” flag set (and which possibly includes data) and the "S-Agent" session goes to the disconnected state.
• FIG. 3 schematically illustrates the state diagram of the "S-Agent" sessions, as they have just been recalled.
• Layers 130 and 230a manage tables (not shown) which contain the list of agents present, on the host terminal side 1 and smart card 2a.
• the agents make it possible to exchange data (of hypertext, for example), but also to trigger network transactions, authorizing communications between the smart card 2a and a remote server 4 (FIG. 2).
• the configuration management modules, 131 and 231a can be compared to specific agents.
• the module 131 on the host terminal side 1, manages in particular information relating to the configuration of this terminal (operating modes), list of the other agents present, etc.
• the module 231a, on the smart card side 2a has similar functions. These two agents can be put in communication with each other to establish a session. In practical terms, the smart card 2a is advantageously
• FIG. 4 illustrates in a simplified manner the logical architecture of a system according to the invention of the type shown in FIG. 2, but described in more detail.
• the smart card 2a includes several agents, including only two have been represented: an agent of the type not precisely defined 232a ⁇ and an agent 232a2, of the so-called "WEB" type.
• the logic stack comprises, the lower protocol layers, referenced 200a, meeting ISO standards 7816-3 (FIG. 2: CCai and CCa2), the "APDU" command manager 201 ai, and the packet multiplexer 230a, the latter being interface to agents, in particular the "WEB" agent 231 a2.
• the first stack comprises the organs 11 (FIG. 2: Ci and C2) for accessing the network (OSI standards 1 and 2) and the "TCP / IP" protocol layers (FIG. 2: C3 and C4), referenced 100. These last layers are interfaced with the "WEB" browser 10.
• the other stack includes the lower protocol layers, referenced 101, meeting ISO 7816-3 standards ( Figure 2: C-
• the latter which will be assumed to be "network type" can also communicate, on the one hand with the browser 10, via the "TCP / IP” layers 101, on the other hand with the Internet network RI, via these same "TCP / IP” layers 101 and member 11, for access to the RI network.
• the “APDU” order manager 201a also interfaces with one or more application-level layers, which will simply be called applications. These applications, A, ..., A t , ..., A n , are, as indicated, applications of the conventional type.
• the client / server function "WEB”, provided by the smart card 2a can be performed by the combination of the agent "WEB" 232a ⁇ in the smart card and the network agent 132 in the terminal 1, and by the implementation of sessions between agents, as described.
• the smart card 2a therefore clearly presents the client / server functionality "WEB".
• any conventional application, A- ⁇ to A n of the type "CGA” above, can be activated through this client / server "WEB", either by the browser "WEB” 10 present in the terminal 1, or by a remote browser 4, located at any point of the Internet network RI, through the implementation of sessions between agents.
• the applications, A- ⁇ to A n do not need to be repeated and are implemented as they are.
• all or part of the applications A- ⁇ to An may consist of applications associated with one or more "PE” protocol (s) and / or one or more "PL” protocol (s), and loaded into a memory of the smart card 2a.
• Data representing one or more "PA” profiles can also be stored in the smart card 2a.
• the client / server functionality "WEB" offered by the smart card 2a is not sufficient for an application to be able to run. It is necessary to add an additional functionality to it.
• the server function "WEB"
• WEB offered by the smart card 2a includes a mechanism similar to the so-called “CGI” function (for "Common Gateway Interface” or “gateway interface”) installed in conventional "WEB” servers.
• CGI Common Gateway Interface
• CGI is a specification for implementing, from a “WEB” server, applications written for the "UNIX” (registered trademark), "DOS”, or "WINDOWS” (registered trademark) operating systems.
• UNIX registered trademark
• DOS registered trademark
• WINDOWS registered trademark
• an "HTTP" request for a "URL” address of the type: "http://www.host.com/cgi-bin/xxx.cgi” (2), in which "host” refers to a host system (usually remote), is interpreted by a "WEB” server as execution of a command script, of the "CGI” type named "xxx” and present in the "cgi- bin” directory of this host system.
• CGI command script
• a script is a series of instructions from the operating system of the host system, the final result of which is transmitted to the "WEB" browser issuing the above request.
• Different languages can be used to write this script, for example the language "PERL" (registered trademark).
• the request is usually displayed on a computer screen in the form of a form included in a "HTLM” page.
• the "HTLM” language allows you to translate a form into a "URL” address.
• the form includes one or more fields, mandatory or not, which are filled in by a user using the usual input methods: keyboard for text, mouse for check boxes or so-called “radio” buttons, etc.
• the content of the form (as well as possibly so-called “hidden” information and instructions) is sent to the "WEB” server.
• the "HTLM” code on the page describes the physical structure of the form (frame, graphics, color, and any other attribute), as well as the structure of the data fields to be entered (name, length, type of data, etc.).
• Transmission can take place in two main types of formats.
• a first format uses the so-called "POST” method and a second uses the so-called "GET” method.
• Format type information is present in the code of the form page.
• Script translating agents or abbreviated as "ATS”.
• the script is then interpreted by one of the intelligent agents.
• This translation can be carried out in different ways: a / by the "WEB” agent 232a ⁇ itself, which in this case is provided with a double capacity; b / by a single script agent capable of translating all the scripts present in the smart card 2a; c / by a dedicated script agent which will be called “ATSD” below (one agent per script); or d / by an agent "APDU" 2010a of the order manager "APDU”
• the "APDU” agent 2010a is a component of the "APDU” order management layer 201a.
• the latter is a layer capable of centralizing all the "APDU” orders sent and / or received by the system, of selecting applications from A to A n , but also of offering an interface of the intelligent agent type. It is therefore capable, according to one of the characteristics of the invention, of communicating with all the intelligent agents (via sessions), whether these agents are located in the terminal 1 or the smart card 2a. In case c / above, a session is opened between the agent
• FIG. 5 illustrates an example of architecture for which the translating agents are of the "ATSD" type. They are referenced ATS, to ATS n and associated with the applications A to A n .
• the selected application being assumed .s .; be the application A and the session is established between the "WEB" agent 232a ⁇ and the ATS agent.
• a script translator agent generates a sequence of "APDU” orders.
• a session is opened between the translating agent, for example the ATS agent t , and the "APDU” agent 2101a.
• the orders are then issued to the "APDU” agent 2101a.
• the "APDU” order manager 210a selects the "CGA” A / application and transmits to it the "APDU” orders, translated and therefore conventional orders, which it is able to understand. This application is therefore correctly activated, without having to modify or rewrite it.
• the responses of the application A t are transmitted to the "APDU” order manager 210a, to the "APDU” agent 2010a, then again to the ATS agent ⁇ (and more generally to the translator agent of script).
• the method according to the invention uses the two characteristics which have just been mentioned: operation of the smart card as a "WEB” server / client, including a "CGI” function.
• operation of the smart card as a "WEB” server / client, including a "CGI” function.
• the first phase concerns the registration of a subscriber profile in a particular directory server which will be referred to as SA, below.
• the smart card 2a is addressed by the browser 10 of the terminal 1, via the layers 13 and
• This recovery is carried out by consulting a corresponding page whose URL is typically of the following form: http://127.0.0.1: 8080 / download.html (3), in which http://127.0.0.1: 8080 is the actual loopback URL, as defined by the relation (1 ), and "download.html” the "HTML" page to obtain.
• This request implements a session between intelligent agents as it has been described with reference to FIGS. 2 to 4, according to a first aspect of the invention.
• the smart card 2a then plays the role of a "WEB" server.
• the smart card 2a sends the "download.html” form during a second step, always by opening sessions between paired intelligent agents, according to the method of the invention.
• the form obtained can be displayed on a screen 5 via the browser 10 and is referenced P in FIG. 6A which schematically illustrates this process.
• This form constitutes a home page for the Internet user wishing to register on a directory server.
• the smart card then behaves like a "WEB" server.
• the P page can usually include different graphic or text elements, as well as interactive control elements ("radio" type button, check boxes, data entry areas, etc.) .
• radio radio type button, check boxes, data entry areas, etc.
• Form P includes various text areas, under the unique reference Z t . These zones typically display the name “xxx” of the directory server (SA U ), the proposed action “registration” and various aids (for example “click here”). Since it was assumed that the data from subscriber profile PA U were recorded in the smart card 2a, it suffices to provide a send button B s . The fact for the Internet user to click on this button using a mouse ( Figure 1A: 6b) or to press the "enter” key on a keyboard ( Figure 1A: 6a), triggers the sending from the form to the smart card 2a.
• FIG. 6C illustrates a possible example of a form, referenced P 2 . It comprises a first fixed text zone Z n , similar to that of FIG. 6B (Z,) and one or more data entry zone (s), under the unique reference Z ⁇ . Is provided as previously sending a ⁇ s button, but advantageously also a button B tidal re-initialization of the form P 2, which erases the data entered in error.
• the zone (s) for entering data Z ⁇ can (be) of the type known as "TEXTAREA" in "HTML” language and present a facility called "lift" for the scrolling display of long texts
• HTML "HTML" code necessary to program such a form is well known in itself and is within the reach of those skilled in the art. There is no need to detail it again. We can however indicate that it contains in particular a line of code in "HTML" language which typically takes the form:
• the data entered is passed as parameters to the smart card 2a, in the form of an "HTTP" request.
• FIG. 6D schematically illustrates the overall process of the registration phase of an Internet user on a directory server SA U , constituted by one of the servers 4 (FIGS. 2 or 4).
• the unique reference S WEB groups together various modules of FIG. 5 allowing the smart card 2a to offer the combined functionalities of client / WEB server and "CGI" gateway.
• the application A e allowing the implementation of the recording protocol "PE” was associated with a dedicated script translator agent At e ;. it is a configuration conforming to that illustrated in figure 5.
• the translation of the scripts can be carried out in other ways (by the agent "WEB" 232a ! (figure 5 ), etc.
• the application A e makes an "HTTP" request by opening sessions between pairs of intelligent agents, in particular involving an agent of the "network” type (FIG. 5: 132).
• the request is transmitted to the directory server SA U , with passing parameters
• the parameters consist in particular of the subscriber profile data PA U , so as to allow its recording in the directory
• the address "URL" of the directory server is obtained from the subscriber profile SA U recorded in the smart card 2a or from the data entered in the form re P 2 .
• the registration process is completed at this stage. It may however include one or more additional steps.
• One of these steps may consist in sending an acknowledgment of receipt by the directory, in the form of an "HTTP" request addressing the smart card 2a.
• the acknowledgment may include information indicating that the registration has been completed satisfactorily, or on the contrary an error code. In the latter case, the registration process must be repeated.
• the server may request the sending of missing data or the re-transmission of incorrect or corrupted data.
• the registration request can also be rejected, in particular if the subscription validity limit is exceeded.
• the data associated with the subscriber profiles can be stored in the smart card 2a, or, on the contrary, supplied, piecemeal , by the internet user according to a method similar to that which has been described with regard to FIG. 6C, by entering in an appropriate form, q is the maximum number of subscriber profiles available. Note that q is not necessarily equal to n. Indeed, a given directory server, which will be arbitrarily referred to as SA, can accept several distinct occurrences of the same subscriber (Internet user), on the one hand. On the other hand, several subscriber servers, although distinct, can accept the same subscriber profile and possibly share a common registration protocol.
• the smart card 2a stores four distinct subscriber profiles, PA A to PA D , each of the profiles making it possible to register on a single directory server, ie SA A to SA D .
• a form, or home page, referenced P 3 allowing this recording, can be presented as illustrated diagrammatically by FIG. 6E. he comprises a first header text area Z te similar to the text area Z f in FIG. 6B, possibly supplemented by graphic areas. It includes four additional text zones, Z tA to Z tD , associated with the four directory servers, SA A to SA D ..
• the form allows you to select one or more, or even all.
• a send button B s is provided , making it possible to transmit the content of the form to the smart card 2a.
• the parameters passed to the smart card2a must make it possible to select one or more subscriber profiles, PA A to PA D , and to derive one or more "URL” addresses.
• the actions requested, by the parameters passed to the smart card 2a are typically of the type: îsa ⁇ enr + pa, (5), with "sa,” the name of the directory server of arbitrary index / among the n possible, "enr” the required registration action proper and "pa,” the subscriber profile to be used among the possible qs.
• One or more "HTTP" requests are made and transmitted to the directory servers concerned, SA A to SA D (FIG. 6E) and in the general case SA A to SA n , if there are n selected directory servers.
• a second phase of the method according to the invention that is to say the location, on the Internet, of an Internet user associated with any identifier can take place very similarly to the registration phase. To do this, it is necessary to query one or more directory server (s). It is also necessary to have at least one specific "PL" protocol for locating this Internet user. Finally, if there are several searchable directory servers, SA to SA n , it is generally also necessary, as in the case of registration, to have several separate location protocols.
• the localization process takes place in a very similar way to that of the registration of the Internet user on one or more SA, directory servers.
• a subscriber profile PA S is no longer explicitly required. It suffices to provide the smart card 2a with the identifier of the Internet user sought and the address of the directory server SA, or at least parameters allowing the application associated with one of the location protocols. to determine this "URL" address.
• a subscriber profile PA t can however be used to automatically derive therefrom the "URL" address of the directory server SA, with the help of which a web user wishes to locate another web user.
• the identifier of the Internet user sought may be their e-mail address, an address which typically takes the following form: pseudo@fournisseur.com (6), with "pseudo” the user name e-mail address of the Internet user or more generally a pseudonym, and "supplier.com” the name and suffix of the Internet service provider ", .com” can be replaced as appropriate by various suffixes: ".fr", “. net “, etc.).
• FIG. 7 illustrates the main stages of the phase of locating an internet user by interrogating a SA directory, In a first step, the smart card 2a is addressed by the browser 10 of the terminal 1, via the layers 13 and 23a.
• a command of type "GET” for example, a loading form from the smart card 2a in the form of a home page referenced F.
• This home page can take different aspects, similar in particular to those described with reference to FIGS. 6C or 6E.
• the Internet user selects one or more directory servers and provides identification data of the Internet user sought.
• FIG. 7 it has been assumed that a single directory server SA is interrogable.
• the page is transmitted in the form of an "HTTP" request to the smart card 2a and is interpreted by a script translator agent At, associated with an application / A, for implementing the "PL" protocol.
• HTTP HyperText Transfer Protocol
• This server searches its database for an "IP" address corresponding to the identification data received. If successful, ie if the requesting Internet user is actually registered, if this Internet user has the right to obtain this address and if the data received is correct, the data retransmitted includes the "IP" address of the Internet user sought, which makes it possible to locate it.
• the recording protocols, the location protocols and the subscriber profiles bear the unique references, PE X , PL y and PA Z , respectively, with x the number of recording protocols, y the number of location protocols and z the number of distinct subscriber profiles.
• This set makes it possible to establish connections with n separate directory servers, either to register an internet user carrying the smart card 2a, or to locate an internet user on the Internet RI network.
• the use of a smart card 2a allows robust authentication of its owner, during the recording phase and / or the location phase. Indeed, it is possible to store security data in the smart card 2a which remains the property of its owner. Such security data can consist of encryption keys.
• the smart card can communicate directly with the Internet, by the implementation of sessions between intelligent agents, this data does not have to be transmitted to an external device, this would be terminal 1.
• the processing operations relating to security are carried out directly by the smart card 2a. This way of proceeding therefore offers a much higher degree of security than the simple use of so-called secure software layers of recent "WEB” browsers, known under the English abbreviation "SSL” (for "Secure Socket Layer”).
• SSL Secure Socket Layer
• the actual authentication can be carried out using the so-called certificate technique, in association with the aforementioned encryption keys stored in the smart card.
• This procedure may require additional transactions between the smart card 2a and the directory server (s) concerned, using “HTTP” requests passing through the Internet network RI.
• HTTP HyperText Transfer Protocol
• the smart card allows an Internet user to register on one or more directory servers and / or to locate an Internet user on the Internet, also through one or more directories.
• the smart card has the combined functionality of a "WEB" client / server and a "CGI" gateway, this arrangement allows direct communications between the smart card and the directory server (s). It therefore authorizes the storage of specific software necessary for the implementation of recording and / or localization protocols, which allows great mobility.
• One or more subscriber profiles can also be stored in the smart card. The internet user is no longer required to use terminals configured specifically for the aforementioned protocols.
• the smart card is transformed into a portable multi-directory database.
• the method according to the invention is entirely compatible with the existing one.
• the Internet user sought is not required to have registered on one or more directory servers by making use of the method according to the invention.
• the transmissions on the Internet network are carried out according to the protocols in force and the communications between the terminal and the smart card use the aforementioned standardized protocol "ISO".
• ISO standardized protocol
• the use of a smart card allows secure transactions and, in particular, "robust" authentication.
• the invention is not limited to only the examples of embodiments explicitly described, in particular in relation to FIGS. 2 to 8.
• the two series of proprietary software need not be " PE “and” PL "are stored in the smart card, although this arrangement is particularly advantageous.
• the recording phase (s), in one or more directory servers which can be carried out once and for all, or at least being a priori less frequent (s) than the phases of localization, one could be satisfied to store in the smart card only the specific applications associated with this last operation.
• subscriber profiles "PA” in the smart card the data can be provided in real time when the subscriber is registered in a particular directory server). It is also possible to save only part of the subscriber profiles, profiles which can be provided automatically.
• the invention also relates to a method of connecting a first user with at least one directory server, with a view to registering and / or locating at least one second user on a network, in particular of the Internet type.
• said connection being effected by means of a terminal provided with a smart card reader and at least one piece of software called recording and / or localization software, the terminal and the card chip comprising information processing means and information storage means, said terminal being connected to each of said directory servers via said Internet-type network and communicating with said smart card according to a first determined protocol, characterized in that at least one of said pieces of software (A e , A,) is stored in said smart card (2a); in that this smart card (2a) comprising a first piece of software (23a), forming a specific communication protocol layer, and said terminal (1) comprising a second piece of software (13), forming a communication protocol layer specific, said first and second pieces of software (13, 23a) further comprise at least one pair of first paired software entities (132, 232a), each of said
• the invention also relates to a smart card comprising information processing means and information storage means and intended to cooperate with a terminal provided with a smart card reader, for connecting a first user with at least one directory server, for the purpose of registering and / or locating at least one second user on a network, in particular of the Internet type, using recording and / or determined location, characterized in that said smart card (2a) stores, in the information storage means, at least one piece of software (A e ,
• this smart card (2a) comprises, in the information storage means, a piece of software (23a), forming a communication protocol layer specific, further comprising at least a first autonomous software entity (S, of the so-called type client and a second autonomous software entity (S 2 ), of the so-called server type, said entities (S 2 , S 2 ) cooperating, by means of information processing, so that said smart card (2a) offers the functionality of a client / server of the "WEB" type and to allow said connection of a first user with at least one directory server
• said smart card (2a) comprises, in the information storage means, at least one second software entity (AT e , AT,) cooperating, thanks to the information processing means, with said specific piece of software (23a), so that said smart card (2a) offers a gateway interface functionality called "CGI” allowing the execution of said pieces of software ⁇ A ⁇ , Aj) associated with said determined recording and localization protocols.
• CGI gateway interface functionality

Landscapes

• Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Security & Cryptography (AREA)
• Computer Hardware Design (AREA)
• Microelectronics & Electronic Packaging (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Theoretical Computer Science (AREA)
• Computer And Data Communications (AREA)
• Information Transfer Between Computers (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=8846859

Family Applications (1)

Country Status (10)

Families Citing this family (54)

Family Cites Families (40)

• 2000
  • 2000-02-10 FR FR0001664A patent/FR2805108B1/fr not_active Expired - Fee Related
• 2001
  • 2001-02-09 EP EP01907762A patent/EP1169839A1/fr not_active Withdrawn
  • 2001-02-09 CN CNB018001939A patent/CN1161942C/zh not_active Expired - Fee Related
  • 2001-02-09 KR KR1020017013183A patent/KR100723006B1/ko not_active IP Right Cessation
  • 2001-02-09 TW TW090103063A patent/TW567700B/zh not_active IP Right Cessation
  • 2001-02-09 JP JP2001559234A patent/JP2003523033A/ja not_active Withdrawn
  • 2001-02-09 CA CA002366570A patent/CA2366570A1/en not_active Abandoned
  • 2001-02-09 US US09/958,724 patent/US7194545B2/en not_active Expired - Fee Related
  • 2001-02-09 WO PCT/FR2001/000396 patent/WO2001060026A1/fr not_active Application Discontinuation
  • 2001-02-09 AU AU35650/01A patent/AU782179B2/en not_active Ceased
• 2006
  • 2006-11-09 US US11/558,199 patent/US20070208586A1/en not_active Abandoned

Non-Patent Citations (2)

Also Published As

Similar Documents

Legal Events