EP1278164B1 - Système et méthode pour changer la fonctionnalité d'un module de sécurité - Google Patents
Système et méthode pour changer la fonctionnalité d'un module de sécurité Download PDFInfo
- Publication number
- EP1278164B1 EP1278164B1 EP02090220A EP02090220A EP1278164B1 EP 1278164 B1 EP1278164 B1 EP 1278164B1 EP 02090220 A EP02090220 A EP 02090220A EP 02090220 A EP02090220 A EP 02090220A EP 1278164 B1 EP1278164 B1 EP 1278164B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- program
- application program
- memory
- data
- loaded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00733—Cryptography or similar special procedures in a franking system
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00193—Constructional details of apparatus in a franking system
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00193—Constructional details of apparatus in a franking system
- G07B2017/00258—Electronic hardware aspects, e.g. type of circuits used
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00733—Cryptography or similar special procedures in a franking system
- G07B2017/00959—Cryptographic modules, e.g. a PC encryption board
- G07B2017/00967—PSD [Postal Security Device] as defined by the USPS [US Postal Service]
Definitions
- EP 417 447 B1 It is known to use special modules in electronic data processing systems and equip them with means for protection against a break-in in their electronics. Such modules are among the security modules.
- Modern franking machines, or other devices for franking mail are provided with a printer for printing the postage stamp on the mail, with a controller for controlling the printing and peripheral components of the postage meter, with a bill unit for settling postage paid in nonvolatile memories and a unit for cryptographically securing postage data.
- a security module ( EP 789 333 A2 ) may include a hardware canceling unit and / or the unit for securing the printing of postal fee data.
- the former can be realized as a user circuit ASIC and the latter as an OTP processor (One Time Programmable).
- An internal OTP memory stores read-only sensitive data (cryptographic keys), which are required, for example, to reload a credit.
- An encapsulation by a safety housing provides further protection.
- the scale also provides programmable security means to prevent unauthorized erasure of data blocks in the flash EEPROM memory areas.
- partial image files and a control file are determined, which are downloaded simultaneously with the data intended for the balance from a data center into the memory of the franking machine.
- the processing status is also saved in order to non-volatile preserve the program state achieved when the program is aborted.
- neither in the postage meter nor in the scale are scherheitsrelevante program data installed.
- the first method has the disadvantage over the second method that a faulty program can no longer be exchanged.
- the second method adversely requires a device that has at least two different memory banks, which makes it more expensive in the above-mentioned severe restrictions on the use of memory space.
- the postal security modules are subject to special requirements with regard to the exchange or extensibility of functions.
- the programming of the above-mentioned program blocks may not be carried out at any time and in particular not by every operator.
- FLASH type having only one partition, such as the Spansion TM 16Mbit MBM29LV160TE offered by Advanced Micro Devices (AMD) or by Fujitsu, which is reprogrammable and has free space.
- AMD Advanced Micro Devices
- Fujitsu Fujitsu
- the developed security module uses a microprocessor, which enables the execution of its program in a main memory.
- a FLASH program memory is also used for the application-specific program. Both memories are connected to the processor via the bus.
- the communication interface 150 is designed to provide data for at least part of an application program, an associated certificate code and identification data, and that the microprocessor 120 is programmed by the start-up program partially copied into the main memory 121, the data of the part of the application program being on one to store free memory space of the FLASH program memory when the identifier data mark a successor to the stored preceding identifier, and to verify the authenticity of the loaded at least a part of the application program by means of the certificate code and to store the authenticity of the loaded part of the application program the latter as valid.
- the microprocessor 120 determines whether the tag data identifies a successor to the stored header tag by comparing the tag data with corresponding comparison data stored in another memory area of the FLASH program memory 128 in which information data about an already loaded program is listed.
- Tag data includes program type, version and revision data.
- a microprocessor type is provided which allows the execution of its program in a working memory 121 to re-program the FLASH. This eliminates the need for an expensive FLASH program memory device with separate memory banks.
- the power management unit (Power Manager) 11 has a plurality of functional units, which ensure the operability of the security module with a low power consumption even when the device is switched off.
- the power management unit 11 includes a DC / DC converter (not shown) and a voltage regulator (not shown) for the respective operating voltages (3V, 5V and 8V), a temperature and voltage monitoring circuit (not shown). The latter two can generate a reset signal. The supplied system voltage is monitored for exceeding or falling below of limit values. Within the latter, a DC / DC converter provides for a predetermined operating voltage U B. Voltage generation ensures the generation of all necessary voltages required by the functional units of the safety module.
- the device When the device is turned off, only one real-time clock RTC and the main memory are supplied with battery voltage in addition to the monitoring circuits and the destruction detection unit.
- An uninterrupted supply of battery operated units is also available DE 200 20 635 U1 communicated.
- the latter includes at least one of the post memories, some of the detectors and the SRDI memory.
- Two independent batteries can be connected to the safety module.
- the first battery voltage comes from the internal battery 134, which may optionally be supported by a second separate battery.
- the special circuit FPGA 160 is connected to two nonvolatile memories 114 (NVRAM I) & 116 (NVRAM II) which contain, among other things, the postal relevant data.
- NVRAM I nonvolatile memories 114
- NVRAM II nonvolatile memories 114
- the two nonvolatile memories NVRAM I and II are physically separated and implemented in different technologies. They can be addressed by the processor in writing and reading, can be modified by the FPGA and can be read from outside the security module.
- One of the nonvolatile memories is implemented in a mixed EEPROM SRAM technology, the other is a conventional technology SRAM.
- Thin black arrows indicate the supply of components with a corresponding operating voltage from the power management and monitoring unit 11 or from the monitoring unit 12.
- Thin white arrows indicate interrogation and control lines.
- the erase hardware includes power management & monitoring unit means, a control line CL, and a bus driver unit 127 in part.
- the control lines from the destruction detection unit 15 and the voltage monitoring unit 12 are connected to a common control line CL, shown in phantom.
- the units 12 or 15 control via the common control line CL to an electronic switch S, which selectively applies operating voltage U B or erase voltage U C or ground potential U M to the VCC pin of the SRDI memory 122.
- This SRDI RAM is not directly connected to the processor bus. All digital signals are routed via driver circuits of the bus driver unit 127, which have outputs that can be switched to high impedance. Thus, the BUS can be decoupled from the SRDI memory 122.
- the bus driver unit 127 is also driven by the common control line CL.
- the first two cause the data in the SRDI memory to be cleared when triggered (or linked).
- the temperature sensor monitors the operating temperature of the module and triggers a reset if the temperature drops below or above a predetermined value. This also prevents improper use and protects the user data. A reset will also be triggered if the input voltage of the module becomes too low or too high, or if the internal operating voltage drops below a certain level. The status of all other voltages can be queried by the system software.
- the security module contains - not shown - LED for status output and is potted with a hard, opaque potting compound 105, in which a sensor diaphragm 153 is embedded. One of the event detectors, the destruction detection unit 15, is connected to conductor loops of the sensor diaphragm 153.
- the bottom layer contains a boot loader with an integrated code checker.
- the boot loader first loads the pre-initialization program which once loaded and executed, can not be replaced by another pre-initialization program, but at most by a part of the application program. Before the bootstrap program stores the state of a loaded part of the application program as valid, the latter is checked by means of a certificate code.
- the certificate code is provided with each part of the application program. For verification, a code verification key is needed, which is loaded during production as part of a pre-initialization.
- a hash value is formed, which is encrypted, for example, with a key according to the known DES method (Data Encryption Standard) to a Message Authorization Code (MAC).
- the MAC is attached as a certificate code to the application program.
- the code verification key must be stored in the security module in a read-only manner if the code verification key is a key of a symmetric encryption method (DES).
- DES symmetric encryption method
- FIG. 3 A flow chart for changing the functionality of the security module is shown.
- step 200 After switching on a - not shown - manufacturer device energy is provided and in step 200, it is checked whether the power had the intended success, so that applied to the security module, a system voltage. If not, then a waiting loop is branched and the query is repeated continuously. If the system voltage is applied to the safety module, a startup program is started in step 201 and at least a first part of the boot loader program with the programming functionality is copied into the main memory SRAM 121.
- the microprocessor 120 is programmed by the boot loader program that the memory area of the FLASH program memory in which the boot loader is located can only be copied but not overwritten. Information about an already loaded application program may be stored nonvolatile in another memory area of the FLASH program memory 128 or elsewhere. The information includes a state variable. In the subsequent program execution, the microprocessor determines in step 202 on the basis of the aforementioned information whether a valid state of an application program is present.
- the boot loader will be active again and can save new application program data.
- the microprocessor determines in step 202 that the existing application program has been marked as 'invalid' or that there is no valid state of the application program, then branching from step 202 to step 203, in which a second part of the boot loader with a communication interface call and Checking functionality is started.
- step 204 it is checked whether application program data and identification data are present in the communication interface. If this is not the case, then the system branches to a waiting loop and repeats the query. If the latter is the case, however, then a query step 205 is branched in which it is checked whether the identification data identifies a successor to the stored predecessor. The microprocessor compares the supplied identification data with stored identification data.
- a waiting loop is branched back to step 204. If the in the Communication interface present identifier data mark a successor to the stored predecessor, then a branch is made to a step 206.
- the microprocessor is controlled according to the above-mentioned first part program of the boot loader with the programming functionality.
- the copied application program data is stored in a memory space of the program memory intended for the application program.
- New valid program data whose associated identifier data characterize a successor are only written to a memory location if the already existing program was previously marked in step 211 with the status variable 'invalid'.
- the latter implies that there are data for deleting the application program in the communication interface (step 210).
- the security module is adaptable to different devices and can be used to solve a variety of tasks.
- the security module which is intended for use in postal devices, in particular for use in a franking machine, is referred to as a postal security module (Postal Security Device) or as a secure accounting device (Security Accounting Device).
- a PSD is based on the same hardware as an SAD.
- the PSD uses an asymmetric encryption algorithm (RSA, ECDSA), but the SAD uses a symmetric encryption algorithm (DES, triple-DES).
- DES symmetric encryption algorithm
- the security module may also have another design that allows it to operate in different devices. Thus, it is possible that it can be plugged, for example, on the motherboard of a personal computer, which drives a commercial printer as a PC meter.
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Claims (13)
- Système pour changer la fonctionnalité d'un module de sécurité, qui comporte un microprocesseur (120) et une mémoire de programme (128) reprogrammable, qui mémorise un chargeur d'amorçage pouvant partiellement être copié dans une mémoire vive (121), ladite mémoire de programme (128) reprogrammable comportant un espace de mémoire libre pour le programme d'application chargeable subséquemment, sur lequel est enregistré un ancien programme d'application, que le module de sécurité comporte un circuit (160) spécial équipé d'une interface de communication (150) destinée à l'établissement d'une liaison de communication avec un appareil d'un fabricant, qui met à disposition du module de sécurité une tension de système et des données du programme d'application, et dont le microprocesseur (120) est en liaison de communication par l'intermédiaire d'un bus avec la mémoire vive (121), la mémoire de programme (128) et une interface de communication (150), caractérisé en ce, que l'interface de communication (150) pour la mise à disposition de données soit formée par au moins une partie d'un programme d'application, d'un code de certification correspondant et de données d'identification et que le microprocesseur (120) soit programmé par le chargeur d'amorçage copié partiellement dans une mémoire vive (121) pour,- vérifier, à l'aide d'une variable d'état, l'état de programme de l'ancien programme d'application et pour vérifier les données d'identification correspondantes,- enregistrer les données de la partie mise à disposition du programme d'application chargeable subséquemment sur l'espace de mémoire libre de la mémoire de programme (128), ledit espace de mémoire libre étant destiné au programme d'application chargeable subséquemment, si la variable d'état caractérise l'invalidité de l'état de programme de l'ancien programme d'application ainsi que si les données d'identification de l'au moins une partie chargée du programme d'application modifié caractérisent un successeur par rapport à l'identificateur du prédécesseur enregistré,- contrôler l'authenticité de l'au moins une partie chargée du programme d'application chargeable subséquemment à l'aide du code de certification et d'enregistrer comme valide le programme d'application chargeable subséquemment en cas d'authenticité de la partie chargée dudit programme d'application chargeable subséquemment.
- Système, selon la revendication 1, caractérisé en ce, que la mémoire de programme (128) soit une mémoire de programme FLASH, que l'interface de communication (150) comporte une commande interne et une mémoire tampon de communication, à partir de laquelle les données enregistrées en premier lieu soient délivrées et transmises en premier lieu, ainsi que soit prévu un type de microprocesseur qui permet d'exécuter son programme dans une mémoire vive (121).
- Méthode pour changer la fonctionnalité d'un module de sécurité, dont la mémoire de programme (128) est reprogrammable et qui comporte un espace de mémoire libre pour un programme d'application chargeable subséquemment, sur lequel est enregistré un ancien programme d'application, et dont la fonctionnalité peut être modifiée à l'aide d'une reprogrammation de la mémoire de programme en utilisant un chargeur d'amorçage enregistré dans la mémoire de programme, ledit chargeur d'amorçage étant copié partiellement dans une mémoire vive pour l'exécution d'une partie de programme, caractérisée par les étapes :- exécution d'une partie de programme qui a été partiellement copiée dans une mémoire vive,- vérification à l'aide d'une variable d'état d'un état de programme de l'ancien programme d'application, ledit état de programme ayant été atteint lors de la programmation, et dont cet état de programme est enregistré de manière non volatile, afin de pouvoir exécuter la fonctionnalité du programme en fonction de l'état et vérifier les données d'identification de l'ancien programme d'application,- enregistrer les données de la partie du programme d'application chargeable subséquemment sur l'espace de mémoire libre de la mémoire de programme (128), ledit espace de mémoire libre étant destiné à un programme d'application, si la variable d'état caractérise l'invalidité de l'état de programme de l'ancien programme d'application ainsi que si les données d'identification de l'au moins une partie chargée du programme d'application chargeable subséquemment caractérisent un successeur par rapport à l'identificateur enregistré du prédécesseur,- autorisation du mode de fonctionnement modifié de la partie chargée subséquemment du programme d'application chargeable subséquemment en cas d'authenticité, enregistrement comme valide de la partie chargée subséquemment du nouveau programme d'application en cas d'authenticité de celui-ci et enregistrement des variables d'état.
- Méthode, selon la revendication 3, caractérisée en ce, que soient mises à disposition dans une interface de communication (150) des données d'au moins une partie d'un programme d'application, un code de certification correspondant et des données d'identification correspondantes, et que les données de cette au moins une partie du programme d'application soient enregistrées sur un espace de mémoire libre de la mémoire de programme, si les données d'identification caractérisent un successeur par rapport à l'identificateur du prédécesseur, ainsi que l'authenticité de l'au moins une partie chargée du programme d'application soit vérifiée à l'aide du code de certification, et dont cette au moins une partie chargée du programme d'application soit enregistrée comme valide en cas d'authenticité.
- Méthode, selon la revendication 4, caractérisée en ce, qu'en cas d'authenticité de l'au moins une partie chargée du programme d'application, une variable d'état, qui caractérise comme valide la partie de programme chargée précitée, soit enregistrée.
- Méthode, selon la revendication 3, caractérisée en ce, qu'une clé de contrôle de code soit mise à disposition pour vérifier l'authenticité de la partie chargée du programme d'application.
- Méthode, selon la revendication 6, caractérisée en ce, que la mise à disposition intègre un chargement de la clé de contrôle de code, laquelle étant chargée pendant la fabrication dans le cadre d'une pré-initialisation, que la clé de contrôle de code soit enregistrée dans le module de sécurité de manière sûre contre la lecture et qu'elle soit une clé secrète d'un procédé de cryptographie symétrique.
- Méthode, selon la revendication 6, caractérisée en ce, que la mise à disposition intègre un chargement de la clé de contrôle de code, laquelle étant chargée pendant la fabrication dans le cadre d'une pré-initialisation, que la clé de contrôle de code soit une clé publique de vérification, que la clé publique de vérification et une clé secrète de signature correspondante forment une paire de clés, et dont le code de certification soit créé par le fabricant à l'aide de la clé secrète de signature en correspondance aux données de l'au moins une partie du programme d'application.
- Méthode, selon la revendication 4, caractérisée en ce, que le microprocesseur (120) détermine si les données d'identification caractérisent un successeur par rapport à l'identificateur enregistré du prédécesseur en comparant les données d'identification avec des données comparatives correspondantes, qui sont enregistrées dans un autre espace de mémoire de la mémoire de programme (128), dans laquelle sont listées des données informatives relatives à un programme déjà chargé.
- Méthode, selon la revendication 9, caractérisée en ce, que les données informatives soient livrées par le fabricant à l'interface de communication (150) en correspondance avec les données du programme d'application, les données informatives comportant l'adresse initiale et finale du programme, la somme de contrôle (CRC / contrôle par redondance cyclique) et les données d'identification.
- Méthode, selon les revendications 9 à 10, caractérisée en ce, que le type de programme, les données de la version et de la révision fassent partie des données d'identification.
- Méthode, selon les revendications 3 à 5, caractérisée en ce, que la variable d'état, nécessaire pour la vérification d'un état de programme atteint lors de la programmation, soit enregistrée et disponible dans la mémoire de programme (128) ou dans une mémoire non volatile du module de sécurité.
- Méthode, selon la revendication 12, caractérisée en ce, que la variable d'état soit un drapeau qui permet de caractériser le programme d'application chargé comme valide après la vérification d'une signature cryptographique, qui prouve l'authenticité du programme d'application chargé.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10137505 | 2001-07-16 | ||
DE10137505A DE10137505B4 (de) | 2001-07-16 | 2001-07-16 | Anordnung und Verfahren zum Ändern der Funktionalität eines Sicherheitsmoduls |
Publications (3)
Publication Number | Publication Date |
---|---|
EP1278164A2 EP1278164A2 (fr) | 2003-01-22 |
EP1278164A3 EP1278164A3 (fr) | 2004-01-14 |
EP1278164B1 true EP1278164B1 (fr) | 2013-01-16 |
Family
ID=7693871
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP02090220A Expired - Lifetime EP1278164B1 (fr) | 2001-07-16 | 2002-06-22 | Système et méthode pour changer la fonctionnalité d'un module de sécurité |
Country Status (3)
Country | Link |
---|---|
US (1) | US7043631B2 (fr) |
EP (1) | EP1278164B1 (fr) |
DE (1) | DE10137505B4 (fr) |
Families Citing this family (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8347078B2 (en) | 2004-10-18 | 2013-01-01 | Microsoft Corporation | Device certificate individualization |
US8621597B1 (en) * | 2004-10-22 | 2013-12-31 | Xilinx, Inc. | Apparatus and method for automatic self-erasing of programmable logic devices |
US8336085B2 (en) | 2004-11-15 | 2012-12-18 | Microsoft Corporation | Tuning product policy using observed evidence of customer behavior |
US20060174125A1 (en) * | 2005-01-31 | 2006-08-03 | Brookner George M | Multiple cryptographic key security device |
US8099324B2 (en) * | 2005-03-29 | 2012-01-17 | Microsoft Corporation | Securely providing advertising subsidized computer usage |
US20060236375A1 (en) * | 2005-04-15 | 2006-10-19 | Tarik Hammadou | Method and system for configurable security and surveillance systems |
US20060265736A1 (en) * | 2005-05-19 | 2006-11-23 | Gilbarco Inc. | Encryption system and method for legacy devices in a retail environment |
US8508607B2 (en) * | 2005-09-06 | 2013-08-13 | Its-7 | Method and system for a programmable camera for configurable security and surveillance systems |
US20070174910A1 (en) * | 2005-12-13 | 2007-07-26 | Zachman Frederick J | Computer memory security platform |
US8176567B2 (en) * | 2005-12-22 | 2012-05-08 | Pitney Bowes Inc. | Apparatus and method to limit access to selected sub-program in a software system |
US20070204323A1 (en) * | 2006-02-24 | 2007-08-30 | Rockwell Automation Technologies, Inc. | Auto-detection capabilities for out of the box experience |
DE102007011309B4 (de) | 2007-03-06 | 2008-11-20 | Francotyp-Postalia Gmbh | Verfahren zur authentisierten Übermittlung eines personalisierten Datensatzes oder Programms an ein Hardware-Sicherheitsmodul, insbesondere einer Frankiermaschine |
DE102007016170A1 (de) * | 2007-04-02 | 2008-10-09 | Francotyp-Postalia Gmbh | Sicherheitsmodul für eine Frankiermaschine |
DE102007039809A1 (de) * | 2007-08-23 | 2009-02-26 | Bayerische Motoren Werke Aktiengesellschaft | Verfahren und Bordnetz zur Aktualisierung der Software in mindestens einem Steuergerät eines Kraftfahrzeugs mit einem USB-Speicherstick |
EP2071898A1 (fr) * | 2007-12-10 | 2009-06-17 | Telefonaktiebolaget LM Ericsson (publ) | Procédé d'altération de données d'intégrité protégées dans un appareil, produit de programme informatique et dispositif mettant en oeuvre le procédé |
US8201267B2 (en) * | 2008-10-24 | 2012-06-12 | Pitney Bowes Inc. | Cryptographic device having active clearing of memory regardless of state of external power |
DE102010017798A1 (de) | 2010-07-07 | 2012-01-12 | Turck Holding Gmbh | Parametrieadapter und zugehörige Steuerschaltung für ein elektrisch betriebenes Gerät |
GB2519034B (en) * | 2012-08-22 | 2020-08-05 | Fujitsu Ltd | Authentication method and authentication program |
JPWO2014049830A1 (ja) * | 2012-09-28 | 2016-08-22 | 富士通株式会社 | 情報処理装置および半導体装置 |
WO2014127536A1 (fr) * | 2013-02-25 | 2014-08-28 | Intel Corporation | Procédé, appareil, système et support de stockage lisible par ordinateur pour assurer la sécurité logicielle |
KR102537788B1 (ko) * | 2018-11-28 | 2023-05-30 | 삼성전자주식회사 | 서버 및 이를 이용한 어플리케이션의 무결성 판단 방법 |
CN111475191B (zh) * | 2020-04-04 | 2023-06-06 | 东风越野车有限公司 | 基于多核技术的汽车控制器软件升级系统及方法 |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2205667B (en) * | 1987-06-12 | 1991-11-06 | Ncr Co | Method of controlling the operation of security modules |
US5144659A (en) * | 1989-04-19 | 1992-09-01 | Richard P. Jones | Computer file protection system |
US5210854A (en) * | 1989-06-14 | 1993-05-11 | Digital Equipment Corporation | System for updating program stored in eeprom by storing new version into new location and updating second transfer vector to contain starting address of new version |
US5421006A (en) * | 1992-05-07 | 1995-05-30 | Compaq Computer Corp. | Method and apparatus for assessing integrity of computer system software |
US5359659A (en) * | 1992-06-19 | 1994-10-25 | Doren Rosenthal | Method for securing software against corruption by computer viruses |
US5386469A (en) * | 1993-08-05 | 1995-01-31 | Zilog, Inc. | Firmware encryption for microprocessor/microcomputer |
US5778070A (en) * | 1996-06-28 | 1998-07-07 | Intel Corporation | Method and apparatus for protecting flash memory |
US5844986A (en) * | 1996-09-30 | 1998-12-01 | Intel Corporation | Secure BIOS |
US6151657A (en) * | 1996-10-28 | 2000-11-21 | Macronix International Co., Ltd. | Processor with embedded in-circuit programming structures |
EP0958674B1 (fr) * | 1996-11-07 | 2006-06-28 | Ascom Hasler Mailing Systems, Inc. | Système de protection du traitement cryptographique et des Ressources en memoire pour machines d'affranchissement postal |
EP1194854A1 (fr) * | 1999-06-30 | 2002-04-10 | Microsoft Corporation | Procedes et systemes de rapport et de resolution d'incidents de maintenance |
US6640334B1 (en) * | 1999-09-27 | 2003-10-28 | Nortel Networks Limited | Method and apparatus of remotely updating firmware of a communication device |
US6622246B1 (en) * | 1999-11-12 | 2003-09-16 | Xerox Corporation | Method and apparatus for booting and upgrading firmware |
-
2001
- 2001-07-16 DE DE10137505A patent/DE10137505B4/de not_active Expired - Fee Related
-
2002
- 2002-06-22 EP EP02090220A patent/EP1278164B1/fr not_active Expired - Lifetime
- 2002-07-11 US US10/193,043 patent/US7043631B2/en active Active
Also Published As
Publication number | Publication date |
---|---|
EP1278164A3 (fr) | 2004-01-14 |
US20030014673A1 (en) | 2003-01-16 |
DE10137505B4 (de) | 2005-06-23 |
US7043631B2 (en) | 2006-05-09 |
EP1278164A2 (fr) | 2003-01-22 |
DE10137505A1 (de) | 2003-03-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1278164B1 (fr) | Système et méthode pour changer la fonctionnalité d'un module de sécurité | |
DE69827405T2 (de) | System und verfahren für eine mehrzweckchipkarte die eine nachträgliche speicherung einer anwendung auf dieser karte ermöglicht | |
DE3613007B4 (de) | System zur Ermittlung von nicht-abgerechneten Drucken | |
EP0762337A2 (fr) | Procédé et dispositif pour augmenter la protection contre la manipulation de données critiques | |
DE102013213568A1 (de) | Sicheres Speichern und Signatur | |
DE19947827A1 (de) | Verfahren und Vorrichtung zur Löschung von Daten, wenn ein Problem erkannt ist | |
DE19534528A1 (de) | Verfahren zur Veränderung der in Speicherzellen geladenen Daten einer elektronischen Frankiermaschine | |
DE102009013384A1 (de) | System und Verfahren zur Bereitstellung einer sicheren Anwendungsfragmentierungsumgebung | |
DE102013213314A1 (de) | Hinterlegen mindestens eines berechenbaren Integritätsmesswertes in einem Speicherbereich eines Speichers | |
EP2541455B1 (fr) | Méthode et procédé de saisie d'un code PIN en cas de pile logicielle importante sur un distributeur automatique de billets | |
EP1063619B1 (fr) | Module de sécurité et procédé pour protection du registre postal contre la manipulation | |
EP3337085B1 (fr) | Rechargement des instructions du programme cryptographique | |
DE102007008651A1 (de) | Chipkarte und Verfahren zur Freischaltung einer Chipkarten-Funktion | |
EP2299380A1 (fr) | Ordinateur avec au moins un connecteur pour un support d' information amovible et procédé de démarrage et d'utilisation d'un ordinateur avec un support d' information amovible | |
DE69817520T2 (de) | Tresorschrank für elektronisches Geld | |
DE102018213615A1 (de) | Kryptografiemodul und Betriebsverfahren hierfür | |
DE4315732C1 (de) | Verfahren zum authentischen Booten und Testen der Integrität von Software auf PC-Architekturen | |
DE19830055A1 (de) | Verfahren zur sicheren Übertragung von Dienstdaten an ein Endgerät und Anordnung zur Durchführung des Verfahrens | |
DE102018211139A1 (de) | Steuergerät sowie Verfahren zu dessen Betrieb | |
WO2006058828A2 (fr) | Procede pour personnaliser des cartes a puce | |
DE19534529C2 (de) | Verfahren zur Erhöhung der Manipulationssicherheit von kritischen Daten | |
DE19534527C2 (de) | Verfahren zur Erhöhung der Manipulationssicherheit von kritischen Daten | |
EP1857981A2 (fr) | Agencement et procédé destinés à la fabrication d'un affranchissement | |
DE102022128289A1 (de) | Leistungsabstimmung für elektronische steuereinheit | |
US20010042054A1 (en) | Postage meter machine with access protection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Free format text: AL;LT;LV;MK;RO;SI |
|
PUAL | Search report despatched |
Free format text: ORIGINAL CODE: 0009013 |
|
AK | Designated contracting states |
Kind code of ref document: A3 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO SI |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: 7G 07B 17/04 A Ipc: 7G 06F 1/00 B Ipc: 7G 06F 9/445 B |
|
AKX | Designation fees paid |
Designated state(s): CH DE FR GB IT LI |
|
17P | Request for examination filed |
Effective date: 20040202 |
|
17Q | First examination report despatched |
Effective date: 20050124 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: FRANCOTYP-POSTALIA GMBH |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): CH DE FR GB IT LI |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D Free format text: NOT ENGLISH |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 50215684 Country of ref document: DE Effective date: 20130314 |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: 746 Effective date: 20130319 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R084 Ref document number: 50215684 Country of ref document: DE Effective date: 20130314 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
26N | No opposition filed |
Effective date: 20131017 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 50215684 Country of ref document: DE Effective date: 20131017 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R081 Ref document number: 50215684 Country of ref document: DE Owner name: FRANCOTYP-POSTALIA GMBH, DE Free format text: FORMER OWNER: FRANCOTYP-POSTALIA AG & CO., 16547 BIRKENWERDER, DE Effective date: 20130116 Ref country code: DE Ref legal event code: R081 Ref document number: 50215684 Country of ref document: DE Owner name: FRANCOTYP-POSTALIA GMBH, DE Free format text: FORMER OWNER: FRANCOTYP-POSTALIA GMBH, 16547 BIRKENWERDER, DE Effective date: 20150330 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 15 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 16 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 17 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20210622 Year of fee payment: 20 Ref country code: DE Payment date: 20210506 Year of fee payment: 20 Ref country code: IT Payment date: 20210625 Year of fee payment: 20 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: CH Payment date: 20210618 Year of fee payment: 20 Ref country code: GB Payment date: 20210625 Year of fee payment: 20 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R071 Ref document number: 50215684 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: PE20 Expiry date: 20220621 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GB Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION Effective date: 20220621 |