EP1240570A2 - Capability-based access control for applications in particular co-operating applications in a chip card - Google Patents

Capability-based access control for applications in particular co-operating applications in a chip card

Info

Publication number
EP1240570A2
EP1240570A2 EP00990048A EP00990048A EP1240570A2 EP 1240570 A2 EP1240570 A2 EP 1240570A2 EP 00990048 A EP00990048 A EP 00990048A EP 00990048 A EP00990048 A EP 00990048A EP 1240570 A2 EP1240570 A2 EP 1240570A2
Authority
EP
European Patent Office
Prior art keywords
application
access
applications
capacity
objects
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00990048A
Other languages
German (de)
French (fr)
Inventor
Gilles Grimaud
Daniel Hagimont
Jean-Jacques Vandewalle
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales DIS France SA
Original Assignee
Gemplus Card International SA
Gemplus SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemplus Card International SA, Gemplus SA filed Critical Gemplus Card International SA
Publication of EP1240570A2 publication Critical patent/EP1240570A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2153Using hardware token as a secondary aspect

Definitions

  • the invention relates to smart cards, also called microcontroller card or integrated circuit cards, and more generally programmable open data processing means can be charged 'for applications written in high level programming language.
  • An open chip card as presented for example in document WO 98/19237, manages several applications, for example a customer account for a store, a bank account or an electronic purse. Some applications loaded into the card sometimes cooperate, for example, to pay for a purchase from the store, and / or also cooperate with applications running outside the card.
  • Application cooperation requires the establishment of access right rules, since applications do not necessarily trust each other. For example, the customer account managed by the store must not take over data managed by the electronic purse.
  • access control management consists in associating access rights to objects managed in the environment for each user, and in verifying that these access rights are respected.
  • the management of access control is shown diagrammatically in FIG. 1 by the management of an access matrix MA.
  • the rows of the matrix MA correspond to the rights of J objects 01 to OJ and the columns of this matrix correspond to the rights of I users Ul to UI.
  • the MA matrix is partially empty, users often having no rights on many objects, and presents one of the two configurations consisting of a grouping of access rights per line and a grouping of rights of access by column.
  • the grouping by line amounts to associating with each object Oj, an access list indicating the access rights Dlj to Dij on the object respectively for the users UI to UI.
  • an access list indicating the access rights Dlj to Dij on the object respectively for the users UI to UI.
  • only the owner of an object Oj modifies the access list Dlj to Dij associated with the object; such a modification is made explicitly by calling an operation on the object requesting the modification of its access list.
  • the protection schemes based on access lists are then qualified as static, the modification of access rights being complex and users tending to oversize the access rights of their objects. This goes against the principle of least privilege (in English: need to know principle) according to which access rights are granted only as and when required.
  • the grouping by column associates with each user Ui a list of capacities indicating the access rights Dil to Dij of the user respectively for the objects over which the user has a right.
  • Each item (Oj, Dij) in the list is called an ability.
  • a capacity is a descriptor containing the identification of an object Oj as well as a definition of access rights Dij on this object.
  • a user has a list of capacities, a capacity which can be compared to a token giving the right to perform an operation on the object.
  • a capacity identifies an object, but also includes a definition of access rights on the object.
  • a capacity can then be used as an object identifier that an application can pass as a parameter to another application, following a conventional programming mode, with the limitation that this identifier does not authorize all operations on the object. designated.
  • Capacities provide greater dynamics in the management of access control, access rights can be easily exchanged between users of the environment. However, when a user or an application must pass a capacity on an object as a parameter, the user or the application must first decide on the rights to be transferred with the capacity. An operation generally makes it possible to reduce the rights associated with the capacity if necessary, before passing it as a parameter.
  • document US 5781633 illustrates an earlier technique allowing filtering, by means of capacities, of exchanges of object references between different processes.
  • the process disclosed by the document is ineffective.
  • the access requester process can modify the filter sent to it as it pleases and access
  • the invention relates more particularly to an access control mechanism based on a scheme of
  • the invention implements a capacity model in the context of the smart card to pursue two objectives:
  • the invention aims to make the application code independent of protection.
  • the specification of the protection policy that is to say of the capacity management, is separate from the application code.
  • the achievement of these two objectives by the invention provides great simplicity in programming access control, which also reduces the cost of code development and maintenance, as well as the risks of protection programming errors.
  • the first objective leads to separating the development of the application and the management of access rights, thus simplifying the complexity.
  • the application programmer programs applications without worrying about managing access rights. This is specified separately in a simple and very intuitive formalism.
  • the invention offers a model for managing uniform access rights while the underlying constraints are very different when one is in the card or outside the card.
  • the two objectives respond to the same motivation consisting in masking the complexities inherent in protection and the card, and in simplifying the programming of protected cooperating applications.
  • the invention provides a process for generating applications, characterized in that it comprises:
  • - a step of developing an application comprising an object or several objects, without restriction of access; a step of defining rules for access rights to the object or objects, included within the application, from a second application or from several other applications;
  • a step of transforming the application comprising the object or objects by adding to said application, means for filtering access to said object or to said objects in order to implement an access control method ensuring the cooperation of the applications; - a step of implementing the transformed application within a data processing means.
  • the data processing means is included in a smart card.
  • the data processing means is included in a docking station for the smart card.
  • the access control method between two applications each cooperating by means of capacities on objects belonging to the other application, the applications cooperating through at least one operating system is characterized by the next step: when one of the applications, called the access requester application, is given access to an object belonging to the other application, called the access provider application; create two capacities respectively in said requesting and access provider applications, as objects; the capacity created in the access provider application to limit access to said object and; the capacity created in the access requesting application to associate the access requesting application with the capacity created in the access provider application.
  • the method when accessing an object belonging to one of the applications, if a second object belonging to one of the applications is passed to this application, the method comprises the step of add two other capabilities respectively in the applications to protect access to the second object.
  • the ability to access the second object belonging to one of the applications is passed as a parameter or as a result to the other application.
  • the applications can be implemented in a common data processing means, for example in a smart card or a terminal.
  • a smart card the Verifications of the code loaded in the smart card ensure that a capacity cannot be created by a pirate programmer.
  • the applications are implemented in two remote data processing means exchanging access messages to remote objects.
  • the step of adding two other capacities can then preferably comprise the storage of a secret word in the two other capacities, passed to them by the two capacities previously created in the stage of creating, in order to validate the access to the second object.
  • the data processing means can be included respectively in a smart card and a smart card docking station, or in two separate smart cards, or in two controllers of a smart card or a terminal .
  • FIG. 1 shows a matrix of access rights already commented on ;
  • FIG. 2 is a block diagram showing interfaces between a bank application and a client application
  • FIG. 3 is a block diagram showing interfaces of two cooperating applications according to the invention
  • FIG. 4 is a block diagram showing the installation of filter objects between two cooperating applications at an initial stage of the method according to the invention
  • - Figure 5 is a block diagram showing the addition of two filters when called by an application of the method on a first object in another application, according to a first embodiment of the method of one invention.
  • FIG. 6 is a block diagram similar to Figure 5, showing the addition of two filters when calling by an application in a method call station on a first object in another application in a card chip, according to a second embodiment of the invention.
  • the general concept underlying the invention is capacity management, that is to say the management of basic access rights, separately from an application.
  • This cooperation protocol generally takes the form of a common interface allowing applications to call each other. More precisely, in the context of the JAVA Card, each application which wishes to call another application does so by using a JAVA interface which is the one which is supposed to provide the called application.
  • a BA bank that is to say a bank application in a server, manages accounts for clients.
  • a CL client connects to the bank through an ATM OG object
  • the bank returns a Ref reference to him on his OC Bank Account object so that he can read the status of his account.
  • Each bank and client application knows the IG and IC cooperation interfaces which are those of the ATM and Account objects.
  • the GU counter object interface allows the customer to connect to the bank by giving their name and an access code, such as a Personal Identity Number (PIN), and to return the Ref reference to the OC Account object.
  • PIN Personal Identity Number
  • the interface of the IC Account object provides two methods respectively for reading and writing the balance of the bank account, the syntax used being that of the JAVA language.
  • the protection requirements in this example are presented below.
  • the bank has all rights to its own objects. But it is unthinkable that the bank should grant all rights to its customers. A customer can read the balance of his bank account, but must not be allowed to write arbitrarily the balance of his account. This is why, in a capacity protection scheme, the bank returns as a result of the connection operation a capacity corresponding to the reference on the Account object, but with rights that only allow the call of the account reading operation.
  • the bank which has all the rights to its own objects, including the Account object creates a capacity authorizing only reading on this object and returns this capacity to its client. Since the first objective of the invention is to separate the definition of the protection policy and the application code, the invention aims more particularly to provide rules for the exchange of capacity between the applications at the level of interfaces used to cooperate.
  • this programming tool specifies in the interfaces used the capacity that must be transferred during a parameter transmission between applications.
  • view view in English
  • the word "String” designating a character string object:
  • the programming tool allows each of the applications, the bank application and the client application according to the previous example, to define its own protection rules.
  • the capacity includes the protection rules defined by the AA application and grouped in a protected interface "view" IA and the rules protection defined by the AB application and grouped in a protected "view" IB interface.
  • the IB view has two roles: limiting the methods that the AA application can call on the OB object and associating the view chosen by the AB application with the inbound and outbound capabilities of the AB application when the OB object is called.
  • the AI view only fulfills the second role for the capacities entering and leaving the AA application.
  • the view IA associates a view IA 'with this capacity and the view IB associates an IB 'view with this ability.
  • Another aspect of the invention is the integration of the programming tool in the context of the smart card.
  • applications are loaded into the card. These applications, called internal applications, interact with each other, but also with applications, called external applications, executed in a docking station, such as a bank terminal, a point of sale or a mobile radiotelephone terminal, in which the card is inserted.
  • a docking station such as a bank terminal, a point of sale or a mobile radiotelephone terminal, in which the card is inserted.
  • the programming tool associated with the invention is implemented by considering the following parts of this context related to the card and to the docking station:
  • the JAVA Card smart card is a protected environment in the sense that the JAVA code loaded in the smart card is verified before it is actually loaded. This verification aims to ensure that the code to be loaded has certain properties of the JAVA code, mainly related to security.
  • the JAVA language does not allow direct manipulation of addresses and therefore arbitrarily overwrite memory, which provides a certain degree of security when different programs are hosted in the same JAVA virtual machine.
  • the implementation of the protection scheme of the invention takes account of this internal context of the card for the implantation of the capacities in the card.
  • the docking station in which the card is inserted is not necessarily a secure environment. Indeed, the card can be inserted into any docking station, and the docking station can very well send fabricated data to fool the card. When they are propagated outside the card, the capacities are according to the invention protected by secrets which make it possible to verify the validity of the capacities used by applications external to the card.
  • the invention thus relates to a programming tool for programming the management of access rights between cooperating applications running in the smart card or in the docking station.
  • the definition of the rules for managing access rights is separated from the application code, which gives greater clarity. Integration in the context of the JAVA Card smart card requires managing the capacities inside and outside the smart card differently.
  • the programming tool associated with the invention specifies the rules for protecting an application separately from the code of the application.
  • the lab interface contains the definitions of three methods methl, meth2 and meth3.
  • the methl method takes in parameter pi a reference to an object of type interface II and does not return any result.
  • the meth2 method takes no parameters and returns a result of type interface 12.
  • the meth3 method takes no parameters and returns no results.
  • Each application then specifies protection interfaces called views, for example the following views Iab_V, I1_V1 and I2_V2:
  • Iab_V ⁇ void methl (I1_V1 pi); I2_V2 meth2 (); NOT void meth3 ();
  • the Aa and Ab applications have the possibility of specifying the protection to be associated with this capacity by associating a view with this capacity.
  • the Iab_V view indicates that only the methl and meth2 methods are allowed. It also indicates that if the methl method is called, then 1 g
  • the application which can be a calling application or a called application, protects itself by associating with the capacity passed in parameter the view I1_V1. Finally, it indicates that if the method meth2 is called, then the application protects itself by associating with the capacity passed in result the view I2_V2.
  • the view that the application Aa associates with this capacity allows the application Aa to control the capacities which enter into and leave it, that is, to associate a view with these capabilities.
  • the view that the Ab application associates with this capacity allows the Ab application to control the capacities which enter and leave it, but also to limit the methods which can be called on the object of the application Ab.
  • the first export of an access capacity from the application Ab to the other application Aa and the first import of this capacity by the other application Aa go through a name server.
  • the Ab application exports the access capacity by associating it with a symbolic name, such as a character string
  • the Aa application imports the exported access capacity by interrogating the name server with the symbolic name.
  • the Ab application exports the capacity by explicitly specifying the view that the Ab application associates with it.
  • the Aa application imports the exported capacity by explicitly specifying the view that the Aa application associates with it.
  • the specified view indicates for all the exchanges of capacity as a parameter arising from this first exchange, the views that will be associated with these capacities passed as parameters.
  • the protection policy for each application according to the invention is specified at the interface level. and is not embedded in the application code.
  • the implementation of the protection policy according to the invention is based on the concept of filter objects, "illustrating" capacity objects (meaning aptitudes or faculties, or in English "capabilities"), which are inserted between the applications Aa and Ab .
  • a filter class is generated and an instance of this class is inserted at runtime in the access chain to an object whose capacity is exported.
  • FIG. 4 if at an initial step E0 access to an object Ob belonging to the application Ab is given to the application Aa, the view of the application Aa for the capacity of this access is established by a filter Fa and the view of the application Ab for this capacity is implemented by a filter Fb.
  • a filter class defines all the methods declared in the view that the filter implements. Its role is to retransmit the method call to its successor in the access chain to the object. According to the example shown in FIG. 4, the filter Fa retransmits the call to the filter Fb and the filter Fb to the object Ob.
  • a filter class implements the protection policy defined by the view from which it is generated: the Fb filter does not leave pass only the methods authorized by the Ab application view; and the filters Fa and Fb also implant the association of the views with the capacities passed as a parameter.
  • the Iab_V view indicates the association of the I1_V1 view with the pi parameter of the methl method.
  • the association of the view with the capacity is implemented by inserting into the access chain to the object passed in parameter a filter object corresponding to the view.
  • the application Aa has, at the initial step E0, a capacity towards the object Ob of the application Ab, and as in the figure 4, subsequent accesses to the object Ob are protected by the filter Fa (Ob) of the application Aa and by the filter Fb (Ob) of the application Ab.
  • a capacity on an Oa object belonging to the Aa application is passed as a parameter to the other application Ab.
  • the filter Fa (Ob) adds the filter Fa (Oa) and passes it as a parameter of the methl method instead of the direct reference to the object Oa.
  • the Fb (Ob) filter adds the Fb (Oa) filter and passes it as a parameter of the methl method instead of the received parameter.
  • the filter objects Fa (Ob) and Fb (Ob), when called, are therefore responsible for installing filter objects Fa (Oa) and Fb (Oa) for the references passed in parameter; in other words, two capacities illustrated by the filters Fa (Oa) and Fb (Oa) protecting access to the object Oa are added respectively in the applications Aa and Ab.
  • I2_V2 meth2 (); NOT void meth3 ();
  • filter classes F_I1_V1 and F_I2_V2 are created respectively. It is assumed that the two cooperating applications Aa and Ab are in the same JAVA environment and the following lines are still written in JAVA code, in which the public keyword means that the following declared method is accessible to all classes, the keyword void means that the following declared method when executed returns no results, and the keyword new designates a class creation operator:
  • variable obj is a reference to the next entity in the path to the object, the second filter or the real object. It is used to retransmit the call if it is authorized.
  • the F_Iab_V method is the constructor method of the filter class. It initializes the variable obj.
  • the Aa application imports a capacity from the name server and wants to associate the Iab_V view with it, it calls the constructor method, passing the received JAVA reference as a parameter.
  • the methl method retransmits a call which is therefore authorized, but it must associate with the capacity passed in parameter pi the view I1_V1.
  • the methl method creates by the operator new a filter F_I1_V1 from the received parameter, then retransmits the call by passing in parameter pi the reference to the created filter.
  • the meth2 method retransmits the call and receives a capacity in return. It must associate the I2_V2 view with it.
  • the meth2 method therefore creates an instance of the class F_I2_V2 from the received parameter and returns by the return instruction the reference to the filter object created in return from the meth2 method.
  • the meth3 method does not retransmit the call since it is not authorized, and therefore propagates an exception.
  • the method calls between a docking station SA, such as a terminal, and a smart card CP as shown diagrammatically in FIG. 6 are implemented from messages, called application protocol data units APDU between the docking station SA and the smart card CP, these method calls being made only according to the direction of the docking station towards the card.
  • the docking station and the smart card or alternatively two smart cards or two controllers in a smart card or a terminal, comprise microcontrollers constituting data processing means which are respectively master and slave and which dialogue according to an asynchronous data exchange protocol which obliges the docking station to periodically interrogate the card so that it triggers an action in response to the docking station.
  • the docking station in the following is replaced by another smart card, that is to say the cooperating applications Aa and Ab are installed respectively in two smart cards, or more generally in two controllers.
  • the asynchronous data exchange protocol implies that, for a call relating to an Obi object from the application Aa in the docking station SA to the application Ab in the card CP to which the object Obi belongs, when there is retransmission of a call between two filter objects Fa (Obi) and Fb ( Obl), relating to the Obi object, this retransmission of the call takes the form of a message exchange between the docking station and the card.
  • a docking station of unknown origin (pirate) is then able to establish a message corresponding to a method call although it is not actually authorized to make this method call. This amounts to creating a capacity which is not possible in the protection scheme according to the invention.
  • secrets such as password mdp, possibly based on encryption methods, are used.
  • the filter Fb (Obl ) creates the Fb filter (Ob2) in the operating system of the CP card for this access capacity.
  • the filter Fb (Obl) then generates a secret, such as a password mdp which is stored in the filter Fb (Ob2) and returned to the filter Fa (Obi) which also stores it.
  • the filter Fa (Obi) creates the filter Fa (Ob2) in the docking station SA for the access capacity returned
  • the filter Fa (Obi) passes to the filter Fa (Ob2) the word of password mdp stored there.
  • access to the object Ob2 is protected in the applications Aa and Ab respectively by two added capacities illustrated by the filters Fa (0b2) and Fb (0b2).
  • step E4 When in step E4 this capacity returned as a parameter is used to call a method on the Ob2 object, the call between the filters Fa (0b2) and Fb (Ob2) includes the password in the APDU message, this which allows the Fb filter (0b2) to verify that the ability to access the Ob2 object is valid.
  • the invention thus creates by naming a correspondence between an object and a capacity illustrated by a filter, managed by the operating systems in the data processing means, such as docking station and smart card. If an object is deleted in an application, the respective operating system destroys the corresponding filter.
  • the above protection scheme uses references, kinds of pointers, to JAVA objects that are almost capabilities. Indeed, since the JAVA language is safe, it is not possible in a JAVA program to establish a reference to an object and to call a method on this object. This implies that if an object 01 creates an object 02, the object 02 is not accessible from the other objects of the JAVA environment, as long as the object 01 does not transmit not explicitly to object 02 a reference to these other objects. This reference transmission can only be done by passing a parameter when an object calls object 01 or when object 01 calls another object.

Abstract

The invention concerns an application programmer no longer responsible for managing access rights, the application code being independent of the protection in the chip card. The capability-based access control consists, when an application (Aa), for example in a docking station, is given access to an object (Ob1) pertaining to the other application (Ab) in a chip card (CP), in creating two capabilities (Fa(Ob1), Fb(Ob1)) respectively in the applications, as objects, to protect all subsequent accesses to the object by filtering them through the two capabilities. On accessing (E1) an object (Ob1) pertaining to an application (Ab), if a second object (Ob2) pertaining to the other application (Ab) is passed on to the latter, two other capabilities (Fa(Ob2, Fb(Ob2)) are added (E2) in the applications to protect access to the second object.

Description

Contrôle d'accès par capacités pour des applications notamment coopérantes dans une carte à puce Access control by capacity for particularly cooperative applications in a smart card
L'invention concerne les cartes à puce, dites également cartes à microcontrôleur ou cartes à circuit intégré, et plus généralement des moyens de traitement de données ouverts programmables pouvant être chargés ' d ' applications écrites dans des langage de programmation évolués. Une carte à puce ouverte, telle que présentée par exemple dans le document WO 98/19237, gère plusieurs applications, par exemple un compte client pour un magasin, un compte bancaire ou un porte- monnaie électronique. Certaines applications chargées dans la carte coopèrent parfois par exemple pour payer un achat du magasin, et/ou coopèrent également avec des applications s 'exécutant hors de la carte.The invention relates to smart cards, also called microcontroller card or integrated circuit cards, and more generally programmable open data processing means can be charged 'for applications written in high level programming language. An open chip card, as presented for example in document WO 98/19237, manages several applications, for example a customer account for a store, a bank account or an electronic purse. Some applications loaded into the card sometimes cooperate, for example, to pay for a purchase from the store, and / or also cooperate with applications running outside the card.
La coopération des applications impose l'établissement de règles de droit d'accès, les applications ne se faisant pas forcément confiance. Par exemple, le compte client géré par le magasin ne doit pas s'approprier de données gérées par le porte- monnaie électronique.Application cooperation requires the establishment of access right rules, since applications do not necessarily trust each other. For example, the customer account managed by the store must not take over data managed by the electronic purse.
Dans un environnement informatique, la gestion du contrôle d'accès consiste à associer des droits d'accès à des objets gérés dans l'environnement pour chaque usager, et à vérifier que ces droits d'accès sont respectés . La gestion du contrôle d'accès est schématisée à la figure 1 par la gestion d'une matrice d'accès MA. Les lignes de la matrice MA correspondent aux droits de J objets 01 à OJ et les colonnes de cette matrice correspondent aux droits de I usagers Ul à UI . Une case de la matrice à l'intersection d'une ligne et d'une colonne donne des droits d'accès Dij d'un usager Ui sur un objet Oj , avec l = i = I e l = j = J, par exemple un droit de lire, d'écrire ou d'exécuter un fichier. En pratique, la matrice MA est partiellement vide, des usagers n'ayant souvent aucun droit sur de nombreux objets, et présente l'une des deux configurations consistant en un regroupement des droits d'accès par ligne et en un regroupement des droits d'accès par colonne.In an IT environment, access control management consists in associating access rights to objects managed in the environment for each user, and in verifying that these access rights are respected. The management of access control is shown diagrammatically in FIG. 1 by the management of an access matrix MA. The rows of the matrix MA correspond to the rights of J objects 01 to OJ and the columns of this matrix correspond to the rights of I users Ul to UI. A box in the matrix at the intersection of a line and of a column gives access rights Dij of a user Ui to an object Oj, with l = i = I el = j = J, for example a right to read, write or execute a file. In practice, the MA matrix is partially empty, users often having no rights on many objects, and presents one of the two configurations consisting of a grouping of access rights per line and a grouping of rights of access by column.
Le regroupement par ligne revient à associer à chaque objet Oj , une liste d'accès indiquant les droits d'accès Dlj à Dij sur l'objet respectivement pour les usagers UI à UI . Dans une gestion par listes d'accès respectivement associées à des objets, seul le propriétaire d'un objet Oj modifie la liste d'accès Dlj à Dij associée à l'objet ; une telle modification se fait explicitement en appelant une opération sur l'objet demandant la modification de sa liste d'accès. Les schémas de protection à base de listes d'accès sont alors qualifiés de statiques, la modification des droits d'accès étant complexe et les usagers ayant tendance à surdimensionner les droits d'accès de leurs objets. Ceci va à 1 ' encontre du principe du moindre privilège (en anglais : need to know principle) selon lequel des droits d'accès ne sont accordés qu'au fur et à mesure des besoins.The grouping by line amounts to associating with each object Oj, an access list indicating the access rights Dlj to Dij on the object respectively for the users UI to UI. In a management by access lists respectively associated with objects, only the owner of an object Oj modifies the access list Dlj to Dij associated with the object; such a modification is made explicitly by calling an operation on the object requesting the modification of its access list. The protection schemes based on access lists are then qualified as static, the modification of access rights being complex and users tending to oversize the access rights of their objects. This goes against the principle of least privilege (in English: need to know principle) according to which access rights are granted only as and when required.
Le regroupement par colonne associe à chaque usager Ui une liste de capacités indiquant les droits d'accès Dil à Dij de l'usager respectivement pour les objets sur lesquels l'usager possède un droit. Chaque élément (Oj , Dij) de la liste est appelé une capacité . Une capacité est un descripteur contenant l'identification d'un objet Oj ainsi qu'une définition de droits d'accès Dij sur cet objet. Dans une gestion par capacités, un usager possède une liste de capacités, une capacité pouvant être comparée à un jeton donnant le droit de faire une opération sur l'objet. Une capacité identifie un objet, mais inclut en plus une définition des droits d'accès sur l'objet. Une capacité peut alors être utilisée comme un identificateur d'objet qu'une application peut passer en paramètre à une autre application, en suivant un mode de programmation classique, avec la limitation que cet identificateur n'autorise pas toutes les opérations sur l'objet désigné.The grouping by column associates with each user Ui a list of capacities indicating the access rights Dil to Dij of the user respectively for the objects over which the user has a right. Each item (Oj, Dij) in the list is called an ability. A capacity is a descriptor containing the identification of an object Oj as well as a definition of access rights Dij on this object. In management by capacities, a user has a list of capacities, a capacity which can be compared to a token giving the right to perform an operation on the object. A capacity identifies an object, but also includes a definition of access rights on the object. A capacity can then be used as an object identifier that an application can pass as a parameter to another application, following a conventional programming mode, with the limitation that this identifier does not authorize all operations on the object. designated.
Il en découle que la modification des droits d'accès est plus naturelle avec des capacités : accorder à une application ou un usager des droits d'accès à un objet revient à lui passer en paramètre d'une opération l'identité de l'objet sous la forme d'une capacité.It follows that the modification of access rights is more natural with capabilities: granting an application or a user access rights to an object amounts to passing it the parameter of an operation the identity of the object in the form of a capacity.
Les capacités apportent une plus grande dynamique dans la gestion du contrôle d'accès, les droits d'accès pouvant être aisément échangés entre les usagers de l'environnement. Cependant, lorsqu'un usager ou une application doit passer en paramètre une capacité sur un objet, l'usager ou l'application doit auparavant décider des droits à transférer avec la capacité. Une opération permet en général de réduire les droits associés à la capacité si nécessaire, avant de la passer en paramètre.Capacities provide greater dynamics in the management of access control, access rights can be easily exchanged between users of the environment. However, when a user or an application must pass a capacity on an object as a parameter, the user or the application must first decide on the rights to be transferred with the capacity. An operation generally makes it possible to reduce the rights associated with the capacity if necessary, before passing it as a parameter.
Dans la technique antérieure, sont connues des réalisations matérielles et des réalisations logicielles des capacités comparables à des jetons. Les premières réalisations matérielles reposaient sur des machines spécialisées dans les années 70. Le mécanisme d'adressage de ces machines implantait directement la notion de capacité : un registre Λ, ,»o, 01/42887 4In the prior art, hardware implementations and software implementations are known with capacities comparable to tokens. The first material achievements were based on specialized machines in the 70s. The addressing mechanism of these machines directly implanted the concept of capacity: a register Λ ,, o , 01/42887 4
d'adresse servant à adresser un objet contenait également les droits d'accès à l'objet (le registre contenant le jeton) . Les valeurs de ces registres pouvaient être échangées entre les usagers, mais ne 5 pouvaient pas être forgées, le matériel ne le permettant pas. Les réalisations logicielles, plus récentes dans les années 80, reposaient sur le chiffrement pour la protection des capacités. Une capacité était signée et ne pouvait être créée queaddress used to address an object also contained the access rights to the object (the register containing the token). The values of these registers could be exchanged between users, but could not be forged, the material not allowing it. Software developments, more recent in the 1980s, relied on encryption for capacity protection. A capacity was signed and could only be created
10 par le propriétaire de l'objet.10 by the owner of the object.
Ainsi, le document US 5781633 illustre une technique antérieure permettant un filtrage, au moyen de capacités, d'échanges de références d'objets entre différents processus. Des procédés cryptographiquesThus, document US 5781633 illustrates an earlier technique allowing filtering, by means of capacities, of exchanges of object references between different processes. Cryptographic processes
15 sont utilisés pour garantir principalement l'intégrité des références échangées. La coopération entre processus est réalisée par la transmission d'une vue réduite d'un objet d'un processus, à un second processus. Le filtre ainsi créé est implanté15 are used to mainly guarantee the integrity of the references exchanged. Cooperation between processes is achieved by transmitting a reduced view of an object from one process to a second process. The filter thus created is implemented
20 au sein du processus demandeur d'accès. Dans un contexte de type « processus mutuellement méfiants », le procédé divulgué par le document est inopérant. En effet le processus demandeur d'accès peut modifier à sa guise le filtre qui lui a été transmis et accéder20 within the access requesting process. In a context of the “mutually suspicious process” type, the process disclosed by the document is ineffective. In fact, the access requester process can modify the filter sent to it as it pleases and access
25 ainsi à des méthodes qui lui sont pourtant interdites.25 thus to methods which are however prohibited to it.
L'invention a trait plus particulièrement à un mécanisme de contrôle d'accès basé sur un schéma deThe invention relates more particularly to an access control mechanism based on a scheme of
30 protection par capacités pour gérer la coopération entre des applications dans le contexte d'une carte à puce. En effet, le contexte de la carte à puce se caractérise par des coopérations entre des applications non prévues à l'avance. Il est donc30 capacity protection to manage cooperation between applications in the context of a smart card. Indeed, the context of the smart card is characterized by cooperation between applications not provided in advance. It is therefore
35 difficile de satisfaire un schéma de protection comme les listes d'accès où les droits d'accès sont le plus souvent pré-établis. La dynamique du schéma à base de capacités est un réel besoin.35 difficult to satisfy a protection scheme like the access lists where the access rights are most often pre-established. The dynamics of the capacity-based scheme is a real need.
Dans les solutions actuelles dans le contexte de la carte à puce, un programmeur doit gérer des capacités "à la main" dans le code de l'application, ce qui conduit à une complexité de programmation des applications protégées.In current solutions in the context of the smart card, a programmer must manage capacities "by hand" in the application code, which leads to a complexity of programming protected applications.
L'invention implante un modèle à capacité dans le contexte de la carte à puce pour poursuivre deux objectifs :The invention implements a capacity model in the context of the smart card to pursue two objectives:
- Préserver la simplicité de programmation du langage JAVA dans le contexte de la JAVA Card. Pour ce faire, l'invention vise à rendre le code des applications indépendant de la protection. La spécification de la politique de protection, c'est-à- dire de la gestion des capacités, est séparée du code des applications.- Preserve the simplicity of programming the JAVA language in the context of the JAVA Card. To do this, the invention aims to make the application code independent of protection. The specification of the protection policy, that is to say of the capacity management, is separate from the application code.
Permettre la coopération entre des applications dans la carte, mais également entre des applications dans la carte et des applications hors de la carte. Ceci nécessite de considérer le système d'exploitation dans la carte comme un milieu sécurisé et l'extérieur de la carte comme un milieu hostile. L'atteinte de ces deux objectifs par l'invention apporte une grande simplicité de programmation du contrôle d'accès, ce qui réduit également le coût de développement et de maintenance du code, ainsi que les risques d'erreur de programmation de la protection.Allow cooperation between applications in the card, but also between applications in the card and applications outside the card. This requires considering the operating system in the card as a secure environment and the outside of the card as a hostile environment. The achievement of these two objectives by the invention provides great simplicity in programming access control, which also reduces the cost of code development and maintenance, as well as the risks of protection programming errors.
Le premier objectif conduit à séparer le développement de l'application et la gestion des droits d'accès, simplifiant ainsi la complexité. Le programmeur d'applications programme des applications sans se soucier de la gestion des droits d'accès. Celle-ci est spécifiée séparément dans un formalisme simple et très intuitif.The first objective leads to separating the development of the application and the management of access rights, thus simplifying the complexity. The application programmer programs applications without worrying about managing access rights. This is specified separately in a simple and very intuitive formalism.
Pour le deuxième objectif, l'invention offre un modèle de gestion des droits d'accès uniforme alors que les contraintes sous-jacentes sont très différentes lorsque l'on se trouve dans la carte ou hors de la carte.For the second objective, the invention offers a model for managing uniform access rights while the underlying constraints are very different when one is in the card or outside the card.
Les deux objectifs répondent à la même motivation consistant à masquer les complexités inhérentes à la protection et à la carte, et à simplifier la programmation d'applications coopérantes protégées .The two objectives respond to the same motivation consisting in masking the complexities inherent in protection and the card, and in simplifying the programming of protected cooperating applications.
Pour atteindre ces objectifs, l'inven ion fournit un procédé de génération d'applications caractérisé en ce qu'il comprend :To achieve these objectives, the invention provides a process for generating applications, characterized in that it comprises:
- une étape de développer une application comprenant un objet ou plusieurs objets, sans restriction d'accès ; - une étape de définir des règles de droits d'accès à l'objet ou aux objets, compris au sein de l'application, depuis une seconde application ou depuis plusieurs autres applications ;- a step of developing an application comprising an object or several objects, without restriction of access; a step of defining rules for access rights to the object or objects, included within the application, from a second application or from several other applications;
- une étape de transformer l'application comprenant le ou les objets par ajout à ladite application, de moyens de filtrage des accès audit objet ou auxdits objets pour mettre en œuvre un procédé de contrôle d'accès assurant la coopération des applications; - une étape d'implanter l'application transformée au sein d'un moyen de traitement de données .a step of transforming the application comprising the object or objects by adding to said application, means for filtering access to said object or to said objects in order to implement an access control method ensuring the cooperation of the applications; - a step of implementing the transformed application within a data processing means.
Selon une première réalisation, le moyen de traitement de données est inclus dans une carte à puce. Selon une seconde réalisation, le moyen de traitement de données est inclus dans une station d'accueil de la carte à puce.According to a first embodiment, the data processing means is included in a smart card. According to a second embodiment, the data processing means is included in a docking station for the smart card.
En outre, selon l'invention, le procédé de contrôle d'accès entre deux applications coopérant chacune au moyen de capacités sur des objets appartenant à l'autre application, les applications coopérant à travers au moins un système d'exploitation, est caractérisé par l'étape suivante : lorsqu'à l'une des applications, dite application demandeur d'accès, est donné un accès à un objet appartenant à l'autre application, dite application fournisseur d'accès ; créer deux capacités respectivement dans lesdites applications demandeur et fournisseur d'accès, en tant qu'objets ; la capacité créée dans l'application fournisseur d'accès pour limiter l'accès audit objet et ; la capacité créée dans l'application demandeur d'accès pour associer l'application demandeur d'accès à la capacité créée dans l'application fournisseur d' accès .In addition, according to the invention, the access control method between two applications each cooperating by means of capacities on objects belonging to the other application, the applications cooperating through at least one operating system, is characterized by the next step: when one of the applications, called the access requester application, is given access to an object belonging to the other application, called the access provider application; create two capacities respectively in said requesting and access provider applications, as objects; the capacity created in the access provider application to limit access to said object and; the capacity created in the access requesting application to associate the access requesting application with the capacity created in the access provider application.
Selon un autre aspect de l'invention, lors de l'accès à un objet appartenant à l'une des applications, si un deuxième objet appartenant à l'une des applications est passé à cette application, le procédé comprend l'étape d'ajouter deux autres capacités respectivement dans les applications pour protéger l'accès au deuxième objet. En pratique, la capacité d'accès au deuxième objet appartenant à l'une des applications est passée en paramètre ou en résultat à l'autre application.According to another aspect of the invention, when accessing an object belonging to one of the applications, if a second object belonging to one of the applications is passed to this application, the method comprises the step of add two other capabilities respectively in the applications to protect access to the second object. In practice, the ability to access the second object belonging to one of the applications is passed as a parameter or as a result to the other application.
Selon une première réalisation, les applications peuvent être implantées dans un moyen traitement de données commun, par exemple dans une carte à puce ou un terminal. Dans le cas d'une carte à puce, les vérifications du code chargé dans la carte à puce permettent d'assurer qu'une capacité ne peut être créée par un programmeur pirate.According to a first embodiment, the applications can be implemented in a common data processing means, for example in a smart card or a terminal. In the case of a smart card, the Verifications of the code loaded in the smart card ensure that a capacity cannot be created by a pirate programmer.
Selon une deuxième réalisation, les applications sont implantées dans deux moyens de traitement de données distants échangeant des messages d'accès à des objets distants. L'étape d'ajouter deux autres capacités peut comprendre alors de préférence le stockage d'un mot secret dans les deux autres capacités, passé à celles-ci par les deux capacités précédemment créées à l'étape de créer, afin de valider l'accès au deuxième objet.According to a second embodiment, the applications are implemented in two remote data processing means exchanging access messages to remote objects. The step of adding two other capacities can then preferably comprise the storage of a secret word in the two other capacities, passed to them by the two capacities previously created in the stage of creating, in order to validate the access to the second object.
Les moyens de traitement de données peuvent être inclus respectivement dans une carte à puce et une station d'accueil de la carte à puce, ou dans deux cartes à puce distinctes, ou dans deux contrôleurs d'une carte à puce ou d'un terminal.The data processing means can be included respectively in a smart card and a smart card docking station, or in two separate smart cards, or in two controllers of a smart card or a terminal .
D'autres caractéristiques et avantages de la présente invention apparaîtront plus clairement à la lecture de la description suivante de plusieurs réalisations préférées de 1 ' invention en référence aux dessins annexés correspondants dans lesquels : la figure 1 montre une matrice de droits d'accès déjà commentée ;Other characteristics and advantages of the present invention will appear more clearly on reading the following description of several preferred embodiments of the invention with reference to the corresponding appended drawings in which: FIG. 1 shows a matrix of access rights already commented on ;
- la figure 2 est un bloc-diagramme montrant des interfaces entre une application banque et une application client ;- Figure 2 is a block diagram showing interfaces between a bank application and a client application;
- la figure 3 est un bloc-diagramme montrant des interfaces de deux applications coopérantes selon l'invention ; la figure 4 est un bloc-diagramme montrant l'implantation d'objets filtres entre deux applications coopérantes à une étape initiale de procédé selon l'invention ; - la figure 5 est un bloc-diagramme montrant l'adjonction de deux filtres lors de l'appel par une application de la méthode sur un premier objet dans une autre application, selon une première réalisation du procédé de 1 ' invention ; et- Figure 3 is a block diagram showing interfaces of two cooperating applications according to the invention; FIG. 4 is a block diagram showing the installation of filter objects between two cooperating applications at an initial stage of the method according to the invention; - Figure 5 is a block diagram showing the addition of two filters when called by an application of the method on a first object in another application, according to a first embodiment of the method of one invention; and
- la figure 6 est un bloc-diagramme analogue à la figure 5, montrant l'adjonction de deux filtres lors de l'appel par une application dans une station d'appel de la méthode sur un premier objet dans une autre application dans une carte à puce, selon une deuxième réalisation de l'invention.- Figure 6 is a block diagram similar to Figure 5, showing the addition of two filters when calling by an application in a method call station on a first object in another application in a card chip, according to a second embodiment of the invention.
Le concept général sous-jacent à l'invention est la gestion de capacités, c'est-à-dire la gestion de droits d'accès élémentaires, de façon séparée d'une application.The general concept underlying the invention is capacity management, that is to say the management of basic access rights, separately from an application.
Lorsque deux applications coopèrent, cette coopération suit un protocole de coopération préétabli. Ce protocole de coopération prend généralement la forme d'une interface commune permettant aux applications de s'appeler. Plus précisément, dans le contexte de la JAVA Card, chaque application qui désire appeler une autre application le fait en utilisant une interface JAVA qui est celle qu'est sensée fournir l'application appelée.When two applications cooperate, this cooperation follows a pre-established cooperation protocol. This cooperation protocol generally takes the form of a common interface allowing applications to call each other. More precisely, in the context of the JAVA Card, each application which wishes to call another application does so by using a JAVA interface which is the one which is supposed to provide the called application.
En référence à l'exemple illustré à la figure 2, une banque BA, c'est-à-dire une application banque dans un serveur, gère des comptes pour des clients. Lorsqu'un client CL se connecte à la banque à travers un objet Guichet OG, la banque lui retourne une référence Ref sur son objet Compte en banque OC pour qu'il puisse lire l'état de son compte. Chacune des applications banque et client connaît les interfaces de coopération IG et IC qui sont celles des objets Guichet et Compte. L'interface de l'objet Guichet IG permet au client de se connecter à la banque en donnant son nom et un code d'accès, tel qu'un code d'identité personnel PIN (Personal Identity Number) , et de lui retourner la référence Ref à l'objet Compte OC. L'interface de l'objet Compte IC fournit deux méthodes respectivement pour lire et écrire le solde du compte en banque, la syntaxe utilisée étant celle du langage JAVA.With reference to the example illustrated in FIG. 2, a BA bank, that is to say a bank application in a server, manages accounts for clients. When a CL client connects to the bank through an ATM OG object, the bank returns a Ref reference to him on his OC Bank Account object so that he can read the status of his account. Each bank and client application knows the IG and IC cooperation interfaces which are those of the ATM and Account objects. The GU counter object interface allows the customer to connect to the bank by giving their name and an access code, such as a Personal Identity Number (PIN), and to return the Ref reference to the OC Account object. The interface of the IC Account object provides two methods respectively for reading and writing the balance of the bank account, the syntax used being that of the JAVA language.
Les besoins en termes de protection dans cet exemple sont présentés ci-après. La banque possède tous les droits sur ses propres objets. Mais il est impensable que la banque accorde tous les droits à ses clients. Un client peut lire le solde de son compte en banque, mais ne doit pas être autorisé à écrire arbitrairement le solde de son compte. C'est pourquoi, dans un schéma de protection par capacités, la banque retourne en résultat de l'opération de connexion une capacité correspondant à la référence sur l'objet Compte, mais avec des droits qui ne permettent que l'appel de l'opération de lecture de compte. La banque qui possède tous les droits sur ses propres objets, y compris l'objet Compte, crée une capacité n'autorisant que la lecture sur cet objet et retourne cette capacité à son client. Etant donné que le premier objectif visé par l'invention est de séparer la définition de la politique de protection et le code de l'application, l'invention vise plus particulièrement à fournir des règles d'échange de capacité entre les applications au niveau des interfaces utilisées pour coopérer.The protection requirements in this example are presented below. The bank has all rights to its own objects. But it is unthinkable that the bank should grant all rights to its customers. A customer can read the balance of his bank account, but must not be allowed to write arbitrarily the balance of his account. This is why, in a capacity protection scheme, the bank returns as a result of the connection operation a capacity corresponding to the reference on the Account object, but with rights that only allow the call of the account reading operation. The bank which has all the rights to its own objects, including the Account object, creates a capacity authorizing only reading on this object and returns this capacity to its client. Since the first objective of the invention is to separate the definition of the protection policy and the application code, the invention aims more particularly to provide rules for the exchange of capacity between the applications at the level of interfaces used to cooperate.
Dans l'exemple montré à la figure 2, la fourniture du contrôle d'accès par programmation est située au niveau de l'interface de l'objet Guichet OG de la banque BA. Selon un premier aspect de l'invention, cet outil de programmation spécifie dans les interfaces utilisées la capacité qu'il faut transférer lors d'une transmission de paramètre entre des applications. On obtient une interface "protégée" appelée vue ( view en anglais) qui prend la forme suivante en langage JAVA, le mot "String" désignant un objet de chaîne de caractères :In the example shown in Figure 2, the provision of access control by programming is located at the interface of the OG Counter window object of the BA bank. According to a first aspect of the invention, this programming tool specifies in the interfaces used the capacity that must be transferred during a parameter transmission between applications. We obtain a "protected" interface called view (view in English) which takes the following form in JAVA language, the word "String" designating a character string object:
view guichet {view counter {
Carpte_client connexion (String nom, String pin-code) ;Carpte_client connexion (String nom, String pin-code);
} view Comp te _c lient {} view Comp te _c link {
Solde lire () ;Balance read ();
NOT void écrire (Solde s) ;NOT void write (Balance s);
}}
La spécification de ces deux vues indique que la banque BA ne laisse sortir que des capacités permettant de lire le solde des comptes. Le code de l'application banque et de l'application client reste ainsi totalement indépendant de la protection.The specification of these two views indicates that the BA bank lets out only capacities allowing to read the account balance. The code of the bank application and the client application thus remains completely independent of protection.
De façon plus générale, l'outil de programmation permet à chacune des applications, l'application banque et l'application client selon l'exemple précédent, de définir ses propres règles de protection. Lorsqu'une application AA possède une capacité vers un objet OB d'une application AB comme montré à la figure 3, la capacité inclut les règles de protection définies par l'application AA et regroupées dans une interface protégée "vue" IA et les règles de protection définies par l'application AB et regroupées dans une interface protégée "vue" IB. La vue IB a deux rôles : limiter les méthodes que l'application AA peut appeler sur l'objet OB et associer la vue choisie par l'application AB aux capacités entrantes dans et sortantes de l'application AB lorsque l'objet OB est appelé. La vue IA ne remplit que le deuxième rôle pour les capacités entrantes dans et sortantes de l'application AA. Ainsi, pour chaque capacité échangée en paramètre de l'appel depuis l'application AA vers l'application AB, ou depuis l'application AB vers l'application AA, la vue IA associe une vue IA' à cette capacité et la vue IB associe une vue IB ' à cette capacité.More generally, the programming tool allows each of the applications, the bank application and the client application according to the previous example, to define its own protection rules. When an AA application has a capacity towards an OB object of an AB application as shown in FIG. 3, the capacity includes the protection rules defined by the AA application and grouped in a protected interface "view" IA and the rules protection defined by the AB application and grouped in a protected "view" IB interface. The IB view has two roles: limiting the methods that the AA application can call on the OB object and associating the view chosen by the AB application with the inbound and outbound capabilities of the AB application when the OB object is called. The AI view only fulfills the second role for the capacities entering and leaving the AA application. Thus, for each capacity exchanged as a parameter of the call from the AA application to the AB application, or from the AB application to the AA application, the view IA associates a view IA 'with this capacity and the view IB associates an IB 'view with this ability.
Un autre aspect de l'invention est l'intégration de l'outil de programmation dans le contexte de la carte à puce. Dans le contexte d'une carte à puce ouverte, des applications sont chargées dans la carte. Ces applications, dites applications internes, interagissent entre elles, mais également avec des applications, dites applications externes, exécutées dans une station d'accueil, telle qu'un terminal bancaire, un point de vente ou un terminal radiotéléphonique mobile, dans laquelle la carte est insérée. Ceci implique que des capacités sont échangées entre des applications internes et des application externes. L'outil de programmation associé à 1 ' invention est mis en place en considérant les parties suivantes de ce contexte liées à la carte et à la station d'accueil :Another aspect of the invention is the integration of the programming tool in the context of the smart card. In the context of an open chip card, applications are loaded into the card. These applications, called internal applications, interact with each other, but also with applications, called external applications, executed in a docking station, such as a bank terminal, a point of sale or a mobile radiotelephone terminal, in which the card is inserted. This implies that capacities are exchanged between internal applications and external applications. The programming tool associated with the invention is implemented by considering the following parts of this context related to the card and to the docking station:
La carte à puce JAVA Card est un milieu protégé dans le sens où le code JAVA chargé dans la carte à puce est vérifié avant son chargement effectif. Cette vérification vise à assurer que le code à charger possède bien certaines propriétés du code JAVA, principalement liées à la sécurité. Le langage JAVA ne permet pas de manipuler directement des adresses et donc d'écraser arbitrairement de la mémoire, ce qui assure un certain degré de sécurité lorsque différents programmes sont hébergés dans la même machine virtuelle JAVA. L'implantation du schéma de protection de l'invention tient compte de ce contexte interne à la carte pour l'implantation des capacités dans la carte.The JAVA Card smart card is a protected environment in the sense that the JAVA code loaded in the smart card is verified before it is actually loaded. This verification aims to ensure that the code to be loaded has certain properties of the JAVA code, mainly related to security. The JAVA language does not allow direct manipulation of addresses and therefore arbitrarily overwrite memory, which provides a certain degree of security when different programs are hosted in the same JAVA virtual machine. The implementation of the protection scheme of the invention takes account of this internal context of the card for the implantation of the capacities in the card.
- La station d'accueil dans laquelle la carte est insérée n'est pas forcément un milieu sécurisé. En effet, la carte peut être insérée dans n'importe quelle station d'accueil, et la station d'accueil peut très bien envoyer des données fabriquées pour tromper la carte. Lorsqu'elles sont propagées hors de la carte, les capacités sont selon l'invention protégées par des secrets qui permettent de vérifier la validité des capacités utilisées par des applications externes à la carte.- The docking station in which the card is inserted is not necessarily a secure environment. Indeed, the card can be inserted into any docking station, and the docking station can very well send fabricated data to fool the card. When they are propagated outside the card, the capacities are according to the invention protected by secrets which make it possible to verify the validity of the capacities used by applications external to the card.
L'invention porte ainsi sur un outil de programmation pour programmer la gestion des droits d'accès entre des applications coopérantes s ' exécutant dans la carte à puce ou dans la station d'accueil. La définition des règles de gestion des droits d'accès est séparée du code des applications, ce qui confère une plus grande clarté. L'intégration dans le contexte de la carte à puce JAVA Card nécessite de gérer différemment les capacités dans la carte à puce et à l'extérieur de celle-ci.The invention thus relates to a programming tool for programming the management of access rights between cooperating applications running in the smart card or in the docking station. The definition of the rules for managing access rights is separated from the application code, which gives greater clarity. Integration in the context of the JAVA Card smart card requires managing the capacities inside and outside the smart card differently.
L'outil de programmation associé à l'invention spécifie les règles de protection d'une application séparément du code de l'application.The programming tool associated with the invention specifies the rules for protecting an application separately from the code of the application.
Il est supposé qu'une première application Aa écrite en langage JAVA coopère avec une deuxième application Ab également écrite en langage JAVA à travers une interface de coopération lab implantée dans un unique moyen de traitement de données, par exemple une carte à puce avec un système d ' exploitation spécif ique et la machine virtuelle JAVA :It is assumed that a first application Aa written in JAVA language cooperates with a second application Ab also written in JAVA language through a cooperation interface lab located in a single data processing means, by example a smart card with a specific operating system and the JAVA virtual machine:
interface lab { void methl (Il pi ) ; 12 meth2 () ; void meth3 () ;interface lab {void methl (Il pi); 12 meth2 (); void meth3 ();
}}
L'interface lab contient les définitions de trois méthodes methl, meth2 et meth3. La méthode methl prend en paramètre pi une référence à un objet de type interface II et ne retourne aucun résultat. La méthode meth2 ne prend aucun paramètre et retourne un résultat de type interface 12. La méthode meth3 ne prend aucun paramètre et ne retourne aucun résultat .The lab interface contains the definitions of three methods methl, meth2 and meth3. The methl method takes in parameter pi a reference to an object of type interface II and does not return any result. The meth2 method takes no parameters and returns a result of type interface 12. The meth3 method takes no parameters and returns no results.
Chaque application spécifie alors des interfaces de protection appelées vues, par exemple les vues suivantes Iab_V, I1_V1 et I2_V2 :Each application then specifies protection interfaces called views, for example the following views Iab_V, I1_V1 and I2_V2:
view Iab_V{ void methl (I1_V1 pi) ; I2_V2 meth2 () ; NOT void meth3 () ;view Iab_V {void methl (I1_V1 pi); I2_V2 meth2 (); NOT void meth3 ();
}}
Lorsque l'application Aa possède une capacité sur un objet appartenant à l'application Ab, les applications Aa et Ab ont la possibilité de spécifier la protection à associer à cette capacité en associant une vue à cette capacité.When the Aa application has a capacity on an object belonging to the Ab application, the Aa and Ab applications have the possibility of specifying the protection to be associated with this capacity by associating a view with this capacity.
La vue Iab_V indique que seules les méthodes methl et meth2 sont autorisées. Elle indique aussi que si la méthode methl est appelée, alors 1 g The Iab_V view indicates that only the methl and meth2 methods are allowed. It also indicates that if the methl method is called, then 1 g
l'application, qui peut être une application appelante ou une application appelée, se protège en associant à la capacité passée en paramètre la vue I1_V1. Enfin, elle indique que si la méthode meth2 est appelée, alors l'application se protège en associant à la capacité passée en résultat la vue I2_V2.the application, which can be a calling application or a called application, protects itself by associating with the capacity passed in parameter the view I1_V1. Finally, it indicates that if the method meth2 is called, then the application protects itself by associating with the capacity passed in result the view I2_V2.
Lorsque l'application Aa possède une capacité vers un objet de l'application Ab, la vue que l'application Aa associe à cette capacité permet à l'application Aa de contrôler les capacités qui entrent dans et sortent de celle-ci, c'est-à-dire d'associer à ces capacités une vue. Réciproquement, la vue que l'application Ab associe à cette capacité permet à l'application Ab de contrôler les capacités qui entrent dans et sortent de celle-ci, mais aussi de limiter les méthodes qui peuvent être appelées sur l'objet de l'application Ab.When the application Aa has a capacity towards an object of the application Ab, the view that the application Aa associates with this capacity allows the application Aa to control the capacities which enter into and leave it, that is, to associate a view with these capabilities. Conversely, the view that the Ab application associates with this capacity allows the Ab application to control the capacities which enter and leave it, but also to limit the methods which can be called on the object of the application Ab.
En général, la première exportation d'une capacité d'accès depuis l'application Ab vers l'autre application Aa et la première importation de cette capacité par l'autre application Aa, passent par un serveur de nom. L'application Ab exporte la capacité d'accès en l'associant à un nom symbolique, tel qu'une chaîne de caractères, et l'application Aa importe la capacité d'accès exportée en interrogeant le serveur de nom avec le nom symbolique. L'application Ab exporte la capacité en spécifiant explicitement la vue que l'application Ab y associe. L'application Aa importe la capacité exportée en spécifiant explicitement la vue que l'application Aa y associe. Pour l'application Aa comme pour l'application Ab, la vue spécifiée indique pour tous les échanges de capacité en paramètre découlant de ce premier échange, les vues qui seront associées à ces capacités passées en paramètre.In general, the first export of an access capacity from the application Ab to the other application Aa and the first import of this capacity by the other application Aa, go through a name server. The Ab application exports the access capacity by associating it with a symbolic name, such as a character string, and the Aa application imports the exported access capacity by interrogating the name server with the symbolic name. The Ab application exports the capacity by explicitly specifying the view that the Ab application associates with it. The Aa application imports the exported capacity by explicitly specifying the view that the Aa application associates with it. For the Aa application as for the Ab application, the specified view indicates for all the exchanges of capacity as a parameter arising from this first exchange, the views that will be associated with these capacities passed as parameters.
Il en résulte que, excepté ce premier échange de message de capacité d'accès, la politique de protection de chaque application selon l'invention, c'est-à-dire la manière d'échanger les capacités, est spécifiée au niveau des interfaces et n'est pas noyée dans le code de l'application.As a result, except for this first exchange of access capacity messages, the protection policy for each application according to the invention, that is to say the manner of exchanging capacities, is specified at the interface level. and is not embedded in the application code.
L'implantation de la politique de protection selon l'invention repose sur la notion d'objets filtres, "illustrant" des objets capacités (signifiant aptitudes ou facultés, ou en anglais "capabilities"), qui sont insérés entre les applications Aa et Ab . Pour chaque vue définie par une application, une classe filtre est générée et une instance de cette classe est insérée à l'exécution dans la chaîne d'accès à un objet dont une capacité est exportée. Comme montré à la figure 4, si à une étape initiale E0 un accès à un objet Ob appartenant à l'application Ab est donné à l'application Aa, la vue de l'application Aa pour la capacité de cet accès est implantée par un filtre Fa et la vue de l'application Ab pour cette capacité est implantée par un filtre Fb.The implementation of the protection policy according to the invention is based on the concept of filter objects, "illustrating" capacity objects (meaning aptitudes or faculties, or in English "capabilities"), which are inserted between the applications Aa and Ab . For each view defined by an application, a filter class is generated and an instance of this class is inserted at runtime in the access chain to an object whose capacity is exported. As shown in FIG. 4, if at an initial step E0 access to an object Ob belonging to the application Ab is given to the application Aa, the view of the application Aa for the capacity of this access is established by a filter Fa and the view of the application Ab for this capacity is implemented by a filter Fb.
Une classe filtre définit toutes les méthodes déclarées dans la vue que le filtre implante. Son rôle est de retransmettre 1 ' appel de méthode vers son successeur dans la chaîne d'accès à l'objet. Selon l'exemple montré à la figure 4, le filtre Fa retransmet l'appel vers le filtre Fb et le filtre Fb vers l'objet Ob.A filter class defines all the methods declared in the view that the filter implements. Its role is to retransmit the method call to its successor in the access chain to the object. According to the example shown in FIG. 4, the filter Fa retransmits the call to the filter Fb and the filter Fb to the object Ob.
Par contre, une classe filtre implante la politique de protection définie par la vue à partir de laquelle elle est générée : le filtre Fb ne laisse passer que les méthodes autorisées par la vue de l'application Ab ; et les filtres Fa et Fb implantent aussi l'association des vues aux capacités passées en paramètre. Selon l'exemple de vues ci-dessus, la vue Iab_V indique l'association de la vue I1_V1 au paramètre pi de la méthode methl. L'association de la vue à la capacité est implantée en insérant dans la chaîne d'accès à l'objet passé en paramètre un objet filtre correspondant à la vue. En référence à la figure 5, pour deux applications Aa et Ab implantées dans une carte à puce CP, l'application Aa possède à l'étape initiale E0 une capacité vers l'objet Ob de l'application Ab, et comme dans la figure 4, les accès ultérieurs à l'objet Ob sont protégés par le filtre Fa (Ob) de l'application Aa et par le filtre Fb(Ob) de l'application Ab. A une première étape El, lors de l'appel par l'application Aa de la méthode methl sur l'objet Ob appartenant à l'application Ab, c'est-à- dire lors de l'accès à l'objet Ob, une capacité sur un objet Oa appartenant à l'application Aa est passée en paramètre à l'autre application Ab. Pour mettre en oeuvre la protection spécifiée par l'application Aa dans sa vue à une deuxième étape E2 , le filtre Fa(Ob) ajoute le filtre Fa (Oa) et le passe en paramètre de la méthode methl à la place de la référence directe à l'objet Oa . De même, pour mettre en oeuvre la protection spécifiée par l'application Ab dans sa vue, le filtre Fb(Ob) ajoute le filtre Fb(Oa) et le passe en paramètre de la méthode methl à la place du paramètre reçu.On the other hand, a filter class implements the protection policy defined by the view from which it is generated: the Fb filter does not leave pass only the methods authorized by the Ab application view; and the filters Fa and Fb also implant the association of the views with the capacities passed as a parameter. According to the example of views above, the Iab_V view indicates the association of the I1_V1 view with the pi parameter of the methl method. The association of the view with the capacity is implemented by inserting into the access chain to the object passed in parameter a filter object corresponding to the view. With reference to FIG. 5, for two applications Aa and Ab located in a smart card CP, the application Aa has, at the initial step E0, a capacity towards the object Ob of the application Ab, and as in the figure 4, subsequent accesses to the object Ob are protected by the filter Fa (Ob) of the application Aa and by the filter Fb (Ob) of the application Ab. At a first step El, during the call by the Aa application of the methl method on the Ob object belonging to the Ab application, that is to say when accessing the Ob object, a capacity on an Oa object belonging to the Aa application is passed as a parameter to the other application Ab. To implement the protection specified by the application Aa in its view in a second step E2, the filter Fa (Ob) adds the filter Fa (Oa) and passes it as a parameter of the methl method instead of the direct reference to the object Oa. Similarly, to implement the protection specified by the Ab application in its view, the Fb (Ob) filter adds the Fb (Oa) filter and passes it as a parameter of the methl method instead of the received parameter.
Les objets filtres Fa (Ob) et Fb (Ob) , lorsqu'ils sont appelés, sont donc chargés d'installer des objets filtres Fa (Oa) et Fb(Oa) pour les références passées en paramètre ; en d'autres termes, deux capacités illustrées par les filtres Fa (Oa) et Fb(Oa) protégeant l'accès à l'objet Oa sont ajoutées respectivement dans les applications Aa et Ab.The filter objects Fa (Ob) and Fb (Ob), when called, are therefore responsible for installing filter objects Fa (Oa) and Fb (Oa) for the references passed in parameter; in other words, two capacities illustrated by the filters Fa (Oa) and Fb (Oa) protecting access to the object Oa are added respectively in the applications Aa and Ab.
II est indiqué ci-après un exemple de classe filtre générée F__Iab__V pour la vue Iab_V donnée auparavant, rappelée ci-après :An example of the generated filter class F__Iab__V is shown below for the view Iab_V given previously, recalled below:
vi ew Iab_V { void methl (I1_V1 pi ) ;vi ew Iab_V {void methl (I1_V1 pi);
I2_V2 meth2 () ; NOT void meth3 () ;I2_V2 meth2 (); NOT void meth3 ();
}}
Pour les vues I1_V1 et I2_V2 sont créées respectivement des classes filtres F_I1_V1 et F_I2_V2. Il est supposé que les deux applications Aa et Ab qui coopèrent se trouvent dans le même environnement JAVA et les lignes suivantes sont encore écrites en code JAVA, dans lesquelles le mot- clé public signifie que la méthode déclarée suivante est accessible à toutes les classes, le mot-clé void signifie que la méthode déclarée suivante une fois exécutée ne retourne aucun résultat, et le mot-clé new désigne un opérateur de création de classe :For the views I1_V1 and I2_V2, filter classes F_I1_V1 and F_I2_V2 are created respectively. It is assumed that the two cooperating applications Aa and Ab are in the same JAVA environment and the following lines are still written in JAVA code, in which the public keyword means that the following declared method is accessible to all classes, the keyword void means that the following declared method when executed returns no results, and the keyword new designates a class creation operator:
publi c class F_Iab_V implements lab { lab obj ;publi c class F_Iab_V implements lab {lab obj;
public F_Iab_V (lab o) { obj = o;public F_Iab_V (lab o) {obj = o;
}}
publi c voi d methl (I1_V1 pi ) { obj . methl (new F II VI (pi ) ) ; ;publi c voi d methl (I1_V1 pi) {obj. methl (new F II VI (pi)); ;
public I2_V2 meth2 () { return (new F_I2_V2 (obj .meth2 () ) ) ;public I2_V2 meth2 () {return (new F_I2_V2 (obj .meth2 ()));
}}
public void meth3 () {public void meth3 () {
// propager une exception// propagate an exception
}}
}}
La variable obj est une référence à l'entité suivante dans le chemin d'accès à l'objet, le deuxième filtre ou l'objet réel. Elle est utilisée pour retransmettre l'appel s'il est autorisé.The variable obj is a reference to the next entity in the path to the object, the second filter or the real object. It is used to retransmit the call if it is authorized.
La méthode F_Iab_V est la méthode constructeur de la classe filtre. Elle initialise la variable obj. Lorsque l'application Aa importe une capacité du serveur de noms et veut lui associer la vue Iab_V, elle appelle la méthode constructeur en lui passant en paramètre la référence JAVA reçue.The F_Iab_V method is the constructor method of the filter class. It initializes the variable obj. When the Aa application imports a capacity from the name server and wants to associate the Iab_V view with it, it calls the constructor method, passing the received JAVA reference as a parameter.
La méthode methl retransmet un appel qui est donc autorisé, mais elle doit associer à la capacité passée en paramètre pi la vue I1_V1. La méthode methl crée par l'opérateur new un filtre F_I1_V1 à partir du paramètre reçu, puis retransmet l'appel en passant en paramètre pi la référence au filtre créé.The methl method retransmits a call which is therefore authorized, but it must associate with the capacity passed in parameter pi the view I1_V1. The methl method creates by the operator new a filter F_I1_V1 from the received parameter, then retransmits the call by passing in parameter pi the reference to the created filter.
La méthode meth2 retransmet 1 ' appel et elle reçoit en retour une capacité. Elle doit y associer la vue I2_V2. La méthode meth2 crée donc une instance de la classe F_I2_V2 à partir du paramètre reçu et retourne par l'instruction return la référence à l'objet filtre créé en retour de la méthode meth2. La méthode meth3 ne retransmet pas 1 ' appel puisqu'il n'est pas autorisé, et propage donc une exception.The meth2 method retransmits the call and receives a capacity in return. It must associate the I2_V2 view with it. The meth2 method therefore creates an instance of the class F_I2_V2 from the received parameter and returns by the return instruction the reference to the filter object created in return from the meth2 method. The meth3 method does not retransmit the call since it is not authorized, and therefore propagates an exception.
L'implantation lorsque les applications coopérantes Aa et Ab sont toutes les deux dans la carte à puce respecte les principes décrits ci- dessus. Par contre, lorsqu'une des deux applications se trouve hors de la carte, l'implantation est sensiblement différente.The implementation when the cooperating applications Aa and Ab are both in the smart card respects the principles described above. On the other hand, when one of the two applications is outside the map, the layout is significantly different.
Il est rappelé que les appels de méthodes entre une station d'accueil SA, telle qu'un terminal, et une carte à puce CP comme montré schématiquement à la figure 6 sont implantés à partir de messages, appelés unités de données de protocole applicatif APDU, entre la station d'accueil SA et la carte à puce CP, ces appels de méthode n'étant effectués que suivant le sens de la station d'accueil vers la carte. En effet, la station d'accueil et la carte à puce, ou en variante deux cartes à puce ou deux contrôleurs dans une carte à puce ou un terminal, comprennent des microcontrôleurs constituant des moyens de traitement de données qui sont respectivement maître et esclave et qui dialoguent selon un protocole d'échange de données asynchrone qui oblige la station d'accueil à interroger périodiquement la carte pour que celle-ci déclenche en réponse une action dans la station d'accueil .It is recalled that the method calls between a docking station SA, such as a terminal, and a smart card CP as shown diagrammatically in FIG. 6 are implemented from messages, called application protocol data units APDU between the docking station SA and the smart card CP, these method calls being made only according to the direction of the docking station towards the card. Indeed, the docking station and the smart card, or alternatively two smart cards or two controllers in a smart card or a terminal, comprise microcontrollers constituting data processing means which are respectively master and slave and which dialogue according to an asynchronous data exchange protocol which obliges the docking station to periodically interrogate the card so that it triggers an action in response to the docking station.
En variante, la station d'accueil dans la suite est remplacée par une autre carte à puce, c'est-à- dire les applications coopérantes Aa et Ab sont implantées respectivement dans deux cartes à puce, ou plus généralement dans deux contrôleurs.As a variant, the docking station in the following is replaced by another smart card, that is to say the cooperating applications Aa and Ab are installed respectively in two smart cards, or more generally in two controllers.
Le protocole d'échange de données asynchrones implique que, pour un appel relatif à un objet Obi depuis l'application Aa dans la station d'accueil SA vers l'application Ab dans la carte CP à laquelle appartient l'objet Obi, lorsqu'il y a retransmission d'un appel entre deux objets filtres Fa (Obi) et Fb(Obl), relatifs à l'objet Obi, cette retransmission de l'appel prenne la forme d'un échange de message entre la station d'accueil et la carte. Une station d'accueil d'origine inconnue (pirate) est alors capable d'établir un message correspondant à un appel de méthode bien qu'elle ne soit pas réellement autorisée à réaliser cet appel de méthode. Ceci revient à créer une capacité ce qui n'est pas possible dans le schéma de protection selon 1 ' invention. Pour protéger les capacités contre ces attaques, des secrets, tels que mots de passe mdp, éventuellement basés sur des méthodes de chiffrement, sont utilisés.The asynchronous data exchange protocol implies that, for a call relating to an Obi object from the application Aa in the docking station SA to the application Ab in the card CP to which the object Obi belongs, when there is retransmission of a call between two filter objects Fa (Obi) and Fb ( Obl), relating to the Obi object, this retransmission of the call takes the form of a message exchange between the docking station and the card. A docking station of unknown origin (pirate) is then able to establish a message corresponding to a method call although it is not actually authorized to make this method call. This amounts to creating a capacity which is not possible in the protection scheme according to the invention. To protect the capabilities from these attacks, secrets, such as password mdp, possibly based on encryption methods, are used.
Comme montré à la figure 6, lorsqu'à une première étape E3 l'application Aa dans la station d'accueil SA appelle la méthode meth2 sur un objet Obi appartenant à l'autre application Ab dans la carte CP, c'est-à-dire lors de l'accès à l'objet Obi, et lorsqu'à une deuxième étape E4 le résultat de cet appel de méthode retourne une capacité d'accès sur un objet Ob2 appartenant à l'application Ab, le filtre Fb(Obl) crée le filtre Fb(Ob2) dans le système d'exploitation de la carte CP pour cette capacité d'accès. Selon l'invention, le filtre Fb(Obl) génère alors un secret, tel qu'un mot de passe mdp qui est stocké dans le filtre Fb(Ob2) et retourné au filtre Fa (Obi) qui le stocke également. Ainsi, lorsque le filtre Fa (Obi) crée le filtre Fa(Ob2) dans la station d'accueil SA pour la capacité d'accès retournée, le filtre Fa (Obi) passe au filtre Fa(Ob2) le mot de passe mdp qui y est stocké. En d'autres termes, l'accès à l'objet Ob2 est protégé dans les applications Aa et Ab respectivement par deux capacités ajoutées illustrées par les filtres Fa(0b2) et Fb(0b2) .As shown in FIG. 6, when in a first step E3 the application Aa in the docking station SA calls the method meth2 on an object Obi belonging to the other application Ab in the card CP, that is to say -display when accessing the Obi object, and when in a second step E4 the result of this method call returns an access capacity on an Ob2 object belonging to the application Ab, the filter Fb (Obl ) creates the Fb filter (Ob2) in the operating system of the CP card for this access capacity. According to the invention, the filter Fb (Obl) then generates a secret, such as a password mdp which is stored in the filter Fb (Ob2) and returned to the filter Fa (Obi) which also stores it. Thus, when the filter Fa (Obi) creates the filter Fa (Ob2) in the docking station SA for the access capacity returned, the filter Fa (Obi) passes to the filter Fa (Ob2) the word of password mdp stored there. In other words, access to the object Ob2 is protected in the applications Aa and Ab respectively by two added capacities illustrated by the filters Fa (0b2) and Fb (0b2).
Lorsqu'à l'étape E4 cette capacité retournée en paramètre est utilisée pour appeler une méthode sur l'objet Ob2, l'appel entre les filtres Fa(0b2) et Fb(Ob2) inclut le mot de passe dans le message APDU, ce qui permet au filtre Fb(0b2) de vérifier que la capacité d'accès à l'objet Ob2 est valide.When in step E4 this capacity returned as a parameter is used to call a method on the Ob2 object, the call between the filters Fa (0b2) and Fb (Ob2) includes the password in the APDU message, this which allows the Fb filter (0b2) to verify that the ability to access the Ob2 object is valid.
L'invention crée ainsi par nommage une correspondance entre un objet et une capacité illustrée par un filtre, gérés par les systèmes d'exploitation dans les moyens de traitement de données, tels que station d'accueil et carte à puce. Si un objet est supprimé dans une application, le système d'exploitation respectif détruit le filtre correspondant .The invention thus creates by naming a correspondence between an object and a capacity illustrated by a filter, managed by the operating systems in the data processing means, such as docking station and smart card. If an object is deleted in an application, the respective operating system destroys the corresponding filter.
Ainsi, la coopération entre une application Ab dans la carte avec une application quelconque nécessite de gérer des capacités pouvant prendre deux formats, avec mot de passe si l'application quelconque est exportée hors de la carte et sans mot de passe si elle reste dans la carte.Thus, the cooperation between an Ab application in the card with any application requires managing capacities that can take two formats, with password if the application is exported out of the card and without password if it remains in the menu.
Le schéma de protection ci -dessus utilise des références, sortes de pointeurs, à des objets JAVA qui sont presque des capacités. En effet, étant donné que le langage JAVA est sûr, il n'est pas possible dans un programme JAVA d'établir une référence à un objet et d'appeler une méthode sur cet objet. Ceci implique que si un objet 01 crée un objet 02, l'objet 02 n'est pas accessible à partir des autres objets de l'environnement JAVA, tant que l'objet 01 ne transmet pas explicitement à l'objet 02 une référence à ces autres objets. Cette transmission de référence ne peut se faire que par passage de paramètre lorsqu'un objet appelle l'objet 01 ou lorsque l'objet 01 appelle un autre objet. The above protection scheme uses references, kinds of pointers, to JAVA objects that are almost capabilities. Indeed, since the JAVA language is safe, it is not possible in a JAVA program to establish a reference to an object and to call a method on this object. This implies that if an object 01 creates an object 02, the object 02 is not accessible from the other objects of the JAVA environment, as long as the object 01 does not transmit not explicitly to object 02 a reference to these other objects. This reference transmission can only be done by passing a parameter when an object calls object 01 or when object 01 calls another object.

Claims

REVENDICATIONS
1 - Procédé de contrôle d'accès entre deux applications (Aa, Ab) coopérant chacune au moyen de capacités sur des objets appartenant à l'autre application, les applications coopérant à travers au moins un système d'exploitation et étant implanté dans un moyen de traitement de données (CP) , caractérisé par l'étape suivante : lorsqu'à l'une (Aa) des applications, dite application demandeur d'accès, est donné un accès à un objet (Ob ; Obi) appartenant à l'autre application (Ab) , dite application fournisseur d'accès ,- créer (E0) deux capacités (Fa(Ob), Fb(Ob) ; Fa (Obi), Fb(Obl)) respectivement dans lesdites applications demandeur et fournisseur d'accès, en tant qu'objets ; la capacité créée dans l'application fournisseur d'accès (Ab) pour limiter l'accès audit objet (Ob) et ; la capacité créée dans l'application demandeur d'accès (Aa) pour associer l'application demandeur d'accès à la capacité créée dans l'application fournisseur d'accès (Ab) .1 - Method for controlling access between two applications (Aa, Ab) each cooperating by means of capacities on objects belonging to the other application, the applications cooperating through at least one operating system and being installed in a means data processing (CP), characterized by the following step: when one (Aa) of applications, called access requester application, is given access to an object (Ob; Obi) belonging to the other application (Ab), called access provider application, - create (E0) two capacities (Fa (Ob), Fb (Ob); Fa (Obi), Fb (Obl)) respectively in said requesting and supplier applications access, as objects; the capacity created in the access provider application (Ab) to limit access to said object (Ob) and; the capacity created in the access requesting application (Aa) to associate the access requesting application with the capacity created in the access provider application (Ab).
2 - Procédé conforme à la revendication 1, comprenant lors de l'accès (El; E3) à un objet (Ob ; Obi) appartenant à l'une (Ab) des applications, si un deuxième objet (Oa ; Ob2) appartenant à l'une (Aa ; Ab) des applications est passé à cette application, l'étape d'ajouter (E2, E4) deux autres capacités (Fa(Oa), Fb(Oa) ; Fa(Ob2), Fb(Ob2)) respectivement dans les applications (Aa, Ab) pour protéger l'accès au deuxième objet.2 - Method according to claim 1, comprising when accessing (El; E3) an object (Ob; Obi) belonging to one (Ab) of the applications, if a second object (Oa; Ob2) belonging to one (Aa; Ab) of the applications is passed to this application, the step of adding (E2, E4) two other capacities (Fa (Oa), Fb (Oa); Fa (Ob2), Fb (Ob2) ) respectively in the applications (Aa, Ab) to protect access to the second object.
3 - Procédé conforme à la revendication 2, selon lequel la capacité d'accès au deuxième objet (Oa ; Ob2) appartenant à l'une des applications est passée en paramètre ou en résultat à l'autre application.3 - Method according to claim 2, according to which the ability to access the second object (Oa; Ob2) belonging to one of the applications is passed as a parameter or as a result to the other application.
4 - Procédé conforme à l'une quelconque des revendications 1 à 3, caractérisé par l'exportation d'une capacité depuis une application (Ab) vers l'autre application (Aa) en l'associant à un nom symbolique, et l'importation de la capacité d'accès exportée dans l'autre application en interrogeant un serveur de nom avec le nom symbolique.4 - Method according to any one of claims 1 to 3, characterized by the export of a capacity from an application (Ab) to the other application (Aa) by associating it with a symbolic name, and the import of the exported access capacity in the other application by interrogating a name server with the symbolic name.
5 - Procédé conforme à l'une quelconque des revendications 1 à 4, selon lequel les applications (Aa, Ab) sont implantées dans un moyen de traitement de données commun (CP) .5 - Method according to any one of claims 1 to 4, according to which the applications (Aa, Ab) are located in a common data processing means (CP).
6 - Procédé conforme à l'une quelconque des revendications 1 à 4, selon lequel les applications (Aa, Ab) sont implantées respectivement dans deux moyens de traitement de données distants (SA, CP) échangeant des messages d'accès à des objets distants .6 - Method according to any one of claims 1 to 4, according to which the applications (Aa, Ab) are respectively located in two remote data processing means (SA, CP) exchanging access messages to remote objects .
7 - Procédé conforme à la revendication 6 lorsqu'elle dépend de la revendication 2 ou 3 , selon lequel l'étape d'ajouter deux autres capacités (E4) comprend le stockage d'un mot secret (mdp) dans les deux autres capacités (Fa(Ob2), Fb(Ob2)) passé à celles-ci par les deux capacités (Fa (Obi), Fb(Obl)) précédemment créées.7 - Process according to claim 6 when it depends on claim 2 or 3, according to which the step of adding two other capacities (E4) comprises storing a secret word (mdp) in the two other capacities ( Fa (Ob2), Fb (Ob2)) passed to them by the two capacities (Fa (Obi), Fb (Obl)) previously created.
8 - Procédé conforme à la revendication 6 ou 7 , selon lequel les moyens de traitement de données sont inclus respectivement dans une carte à puce (CP) et une station d'accueil (SA) de la carte à puce. 9 - Procédé conforme à la revendication 6 ou 7, selon lequel les moyens de traitement de données sont inclus respectivement dans deux cartes à puce.8 - Process according to claim 6 or 7, according to which the data processing means are respectively included in a smart card (CP) and a docking station (SA) of the smart card. 9 - Process according to claim 6 or 7, according to which the data processing means are included respectively in two smart cards.
10 - Procédé de génération d'applications caractérisé en ce qu'il comprend :10 - Process for generating applications characterized in that it comprises:
- une étape de développer une application (Ab) comprenant un objet (Ob) ou plusieurs objets (Ob, Obi), sans restriction d'accès ;- a step of developing an application (Ab) comprising an object (Ob) or several objects (Ob, Obi), without restriction of access;
- une étape de définir des règles de droits d'accès à l'objet (Ob) ou aux objets (Ob, Obi) compris au sein de l'application depuis une seconde application (Aa) ou depuis plusieurs autres applications ;a step of defining rules for access rights to the object (Ob) or to the objects (Ob, Obi) included within the application from a second application (Aa) or from several other applications;
- une étape de transformer l'application (Ab) comprenant le ou les objets (Ob, Obi) par ajout à ladite application (Ab) , de moyens de filtrage (Fa, Fb) des accès audit objet (Ob) ou auxdits objets (Ob, Obi) pour mettre en œuvre le procédé de contrôle d'accès selon les revendications 1 à 4 ;a step of transforming the application (Ab) comprising the object or objects (Ob, Obi) by adding to said application (Ab), filtering means (Fa, Fb) of the accesses to said object (Ob) or to said objects ( Ob, Obi) for implementing the access control method according to claims 1 to 4;
- une étape d'implanter l'application transformée au sein d'un moyen de traitement de données (CP, SA) .- a step of implementing the transformed application within a data processing means (CP, SA).
11 - Procédé conforme à la revendication 10 selon lequel le moyen de traitement de données est inclus dans une carte à puce .11 - Method according to claim 10 according to which the data processing means is included in a smart card.
12 - Procédé conforme à la revendication 10 selon lequel le moyen de traitement de données est inclus dans une station d'accueil (SA) de la carte à puce. 12 - Method according to claim 10 according to which the data processing means is included in a docking station (SA) of the smart card.
EP00990048A 1999-12-10 2000-12-08 Capability-based access control for applications in particular co-operating applications in a chip card Withdrawn EP1240570A2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR9915791A FR2802319B1 (en) 1999-12-10 1999-12-10 CAPACITY ACCESS CONTROL FOR ESPECIALLY COOPERATING APPLICATIONS IN A CHIP CARD
FR9915791 1999-12-10
PCT/FR2000/003463 WO2001042887A2 (en) 1999-12-10 2000-12-08 Access control for co-operating applications in a chip card

Publications (1)

Publication Number Publication Date
EP1240570A2 true EP1240570A2 (en) 2002-09-18

Family

ID=9553271

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00990048A Withdrawn EP1240570A2 (en) 1999-12-10 2000-12-08 Capability-based access control for applications in particular co-operating applications in a chip card

Country Status (5)

Country Link
US (1) US7490333B2 (en)
EP (1) EP1240570A2 (en)
AU (1) AU2685701A (en)
FR (1) FR2802319B1 (en)
WO (1) WO2001042887A2 (en)

Families Citing this family (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8352400B2 (en) 1991-12-23 2013-01-08 Hoffberg Steven M Adaptive pattern recognition based controller apparatus and method and human-factored interface therefore
US7904187B2 (en) 1999-02-01 2011-03-08 Hoffberg Steven M Internet appliance system and method
US7243853B1 (en) 2001-12-04 2007-07-17 Visa U.S.A. Inc. Method and system for facilitating memory and application management on a secured token
US8010405B1 (en) 2002-07-26 2011-08-30 Visa Usa Inc. Multi-application smart card device software solution for smart cardholder reward selection and redemption
US8626577B2 (en) 2002-09-13 2014-01-07 Visa U.S.A Network centric loyalty system
US8015060B2 (en) 2002-09-13 2011-09-06 Visa Usa, Inc. Method and system for managing limited use coupon and coupon prioritization
US9852437B2 (en) 2002-09-13 2017-12-26 Visa U.S.A. Inc. Opt-in/opt-out in loyalty system
US20040139021A1 (en) 2002-10-07 2004-07-15 Visa International Service Association Method and system for facilitating data access and management on a secure token
US7827077B2 (en) 2003-05-02 2010-11-02 Visa U.S.A. Inc. Method and apparatus for management of electronic receipts on portable devices
US8554610B1 (en) 2003-08-29 2013-10-08 Visa U.S.A. Inc. Method and system for providing reward status
JP2005085266A (en) 2003-09-04 2005-03-31 Stmicroelectronics Sa Access control of microprocessor peripheral device
US7051923B2 (en) 2003-09-12 2006-05-30 Visa U.S.A., Inc. Method and system for providing interactive cardholder rewards image replacement
US8005763B2 (en) 2003-09-30 2011-08-23 Visa U.S.A. Inc. Method and system for providing a distributed adaptive rules based dynamic pricing system
US8407083B2 (en) 2003-09-30 2013-03-26 Visa U.S.A., Inc. Method and system for managing reward reversal after posting
US7653602B2 (en) 2003-11-06 2010-01-26 Visa U.S.A. Inc. Centralized electronic commerce card transactions
WO2006012645A2 (en) * 2004-07-28 2006-02-02 Sarnoff Corporation Method and apparatus for total situational awareness and monitoring
US7844996B2 (en) * 2005-05-23 2010-11-30 Broadcom Corporation Method and apparatus for constructing an access control matrix for a set-top box security processor
US9652637B2 (en) 2005-05-23 2017-05-16 Avago Technologies General Ip (Singapore) Pte. Ltd. Method and system for allowing no code download in a code download scheme
US7913289B2 (en) * 2005-05-23 2011-03-22 Broadcom Corporation Method and apparatus for security policy and enforcing mechanism for a set-top box security processor
US9904809B2 (en) 2006-02-27 2018-02-27 Avago Technologies General Ip (Singapore) Pte. Ltd. Method and system for multi-level security initialization and configuration
US9177176B2 (en) 2006-02-27 2015-11-03 Broadcom Corporation Method and system for secure system-on-a-chip architecture for multimedia data processing
GB2439103B (en) * 2006-06-15 2011-01-12 Symbian Software Ltd Implementing a process-based protection system in a user-based protection environment in a computing device
US9489318B2 (en) 2006-06-19 2016-11-08 Broadcom Corporation Method and system for accessing protected memory
DE102006042723A1 (en) * 2006-09-12 2008-03-27 Vodafone Holding Gmbh Chip card and method for software-based modification of a chip card
US7827196B2 (en) 2006-10-30 2010-11-02 International Business Machines Corporation Evaluation of access control and filter conditions
US20110145082A1 (en) 2009-12-16 2011-06-16 Ayman Hammad Merchant alerts incorporating receipt data
US8429048B2 (en) 2009-12-28 2013-04-23 Visa International Service Association System and method for processing payment transaction receipts
US10929178B1 (en) 2017-06-28 2021-02-23 Apple Inc. Scheduling threads based on mask assignments for activities
CN110770731B (en) 2017-06-28 2023-11-28 苹果公司 Authorization system
US10884831B2 (en) 2017-06-28 2021-01-05 Apple Inc. Composable system
US11392409B2 (en) 2017-06-28 2022-07-19 Apple Inc. Asynchronous kernel
WO2019005867A1 (en) 2017-06-28 2019-01-03 Apple Inc. Interposition
WO2019067132A1 (en) 2017-09-29 2019-04-04 Apple Inc. Notifications
WO2019067133A1 (en) 2017-09-29 2019-04-04 Apple Inc. Device manager providing resource control and synchronization

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5423041A (en) * 1990-09-28 1995-06-06 Texas Instruments Incorporated Coupling rules to an object-oriented program
JP4095680B2 (en) * 1994-08-01 2008-06-04 富士通株式会社 Security management method for card type storage device and card type storage device
EP0697662B1 (en) * 1994-08-15 2001-05-30 International Business Machines Corporation Method and system for advanced role-based access control in distributed and centralized computer systems
US5941947A (en) * 1995-08-18 1999-08-24 Microsoft Corporation System and method for controlling access to data entities in a computer network
US5781633A (en) * 1996-07-01 1998-07-14 Sun Microsystems, Inc. Capability security for transparent distributed object systems
MY126363A (en) * 1996-10-25 2006-09-29 Gemalto Sa Using a high level programming language with a microcontroller
US6505300B2 (en) * 1998-06-12 2003-01-07 Microsoft Corporation Method and system for secure running of untrusted content
US6256393B1 (en) * 1998-06-23 2001-07-03 General Instrument Corporation Authorization and access control of software object residing in set-top terminals
US6289458B1 (en) * 1998-09-21 2001-09-11 Microsoft Corporation Per property access control mechanism
TW449991B (en) * 1999-01-12 2001-08-11 Ibm Method and system for securely handling information between two information processing devices
US6681243B1 (en) * 1999-07-27 2004-01-20 Intel Corporation Network environment supporting mobile agents with permissioned access to resources

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0142887A2 *

Also Published As

Publication number Publication date
US7490333B2 (en) 2009-02-10
FR2802319B1 (en) 2004-10-01
FR2802319A1 (en) 2001-06-15
WO2001042887A3 (en) 2002-02-07
WO2001042887A2 (en) 2001-06-14
AU2685701A (en) 2001-06-18
US20030065982A1 (en) 2003-04-03

Similar Documents

Publication Publication Date Title
EP1240570A2 (en) Capability-based access control for applications in particular co-operating applications in a chip card
CN109154885B (en) Business process execution on a blockchain platform
WO2021259140A1 (en) Blockchain-based original work transaction method and apparatus, and electronic device
US20070254631A1 (en) Secure Multi-Entity Access to Resources on Mobile Telephones
NZ313777A (en) Data exchange system comprising portable and non-portable data processing units suitable for use in smart cards
Panda et al. Smart contract‐based land registry system to reduce frauds and time delay
US11398911B1 (en) System for interacting objects as tokens on a blockchain using a class-based language
CN112738194A (en) Access control system for safe operation and maintenance management
Adamik et al. Smartexchange: Decentralised trustless cryptocurrency exchange
WO2004100094A2 (en) System and method for using open apis to provide integrated security policies for flexible management and customization of payment instruments
Wu et al. Blockchain Quick Start Guide: A beginner's guide to developing enterprise-grade decentralized applications
JP2023513848A (en) Computing services for blockchain-related service platforms
WO2002051057A2 (en) Methods for rights enabled peer-to-peer networking
CH716295A2 (en) A method of multiple signature of a transaction intended for a blockchain, by means of cryptographic keys distributed among the nodes of a peer-to-peer network.
Bakaul et al. The Implementation of Blockchain in Banking System using Ethereum
Yi et al. Bitcoin, Ethereum, Smart Contracts and Blockchain Types
EP3161741B1 (en) Method for protecting intangible assets in telecommunications networks
KR20200012688A (en) Apparatus for KYC using KYC blockchain
JP2007109246A (en) Distributed task execution system
TWI824625B (en) Device and method for securing and verifying business data via a blockchain system
Ojesanmi Security issues in mobile agent applications
EP3948596A1 (en) Method for running secure code, corresponding devices, system and programs
Sutopo Blockchain Programming Smart Contract on Polygon
Ahsan Analysis of Blockchain Based Smart Contracts
CH716300A2 (en) Process for signing a transaction intended for a blockchain, by means of a cryptographic key distributed among the nodes of a peer-to-peer network on which this blockchain is deployed.

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

17P Request for examination filed

Effective date: 20020807

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: GEMALTO SA

17Q First examination report despatched

Effective date: 20101209

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20110621