Classifications

• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07F—COIN-FREED OR LIKE APPARATUS
  • G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
  • G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
  • G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
  • G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
  • G06F21/77—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
  • G06Q20/355—Personalisation of cards for use
  • G06Q20/3552—Downloading or loading of personalisation data

Definitions

• the present invention relates, in general, to the field of so-called “smart cards” (Smartcards in the English terminology), in the sense that such cards constitute an electronic data medium, which is in the form of a reduced format card, with more than one processing capacity implemented by a microprocessor and its operating system and their environment (memories of different types, inputs / outputs).
• the invention more particularly relates to multi-application smart cards, comprising a plurality of applications installed on the same card, thus allowing the execution of advanced applications, dedicated to various uses.
• it is mainly the issuing entity of the card that is competent as regards the management of the contents of the card.
• the different security domains are implemented on the card through applications specific, one for each security domain, to implement and enforce the mode of operation defined contractually between the card issuer and each application provider.
• These specific security domain applications include the role of authenticating and verifying the applications of the associated application provider during the download process. They also offer common services for all the applications of a given application provider, otherwise the execution of the application on the card is not possible.
• the security domain of an application provider is therefore the application, created on the card during its initialization, which guarantees the proper functioning of the applications of this provider installed on the card after its delivery.
• it is essential to ensure that the application in question is linked to the security domain of the card associated with the card. provider of the application concerned.
• the application provider owner of the application in question, is assured that the rules of operation and use of its application on the card, set by contract with the card issuer, will be respected.
• it is the issuing entity of the card that specifies the security domain associated with the application during its download.
• the management of the life cycle of applications of an application provider is placed under the authority of the card issuer, in accordance with the operating conditions initially provided for by contract between the issuing entity and the provider.
• the card issuing entity is entitled to take control of the application of an application provider already installed on the card, in particular to lock it so as to control access to it or to remove it from the card, when the agreement between the supplier and the issuing entity has expired for example.
• no specific mechanism is provided on the card to ensure that the authorization of the application provider has been given by the latter to allow the deletion or locking of one or its applications on the card .
• This authorization is important to the extent that a card application remains the responsibility of the provider of this application and any action on it should normally be performed with the consent of the provider of the application.
• an application is loaded, it most often imports other applications or APIs.
• the present invention which is based on these various findings, aims to provide specific mechanisms to ensure the authorization of an application provider prior to any action performed on an application delivered by this provider on a multi-application card, so that the application provider can control the access and use of its applications on the card and thus ensure in particular the respect of its property rights.
• the present invention thus aims at reinforcing the conditions of realization of the contractual links which underlie the cooperation between the card issuing entity and the application provider, With this objective in view, the invention thus relates to a method for managing a multi-application electronic device, comprising an operating system designed to support a plurality of applications, each application belonging to an application provider.
• the method being characterized in that upon receipt of an application loading command on the device, said operating system verifies that said application is associated with a security domain corresponding to the security domain of the provider of said application and, if successful verification, authorizes its loading and installation on the device by attaching automatically to said security domain.
• the verification step consists of searching among the security domains installed on the device, the one whose application provider identifier corresponds to the identifier of the application to be loaded.
• the received load control comprises, in addition to the application to be loaded, the application provider identifier corresponding to the security domain to be associated, the check consisting in checking that said identifier corresponds to to the identifier of said application.
• a step of controlling access to at least one application installed on the device performed by the security domain of the application provider to which said application is associated is implemented by the operating system of the device, to allow an action on said application.
• the access control consists of requesting the production of an electronic signature and verifying said signature.
• the action on the application may be to delete said application the device.
• the action on the application can still consist in locking the use of said application.
• the action on the application can still consist in the at least partial use of said application by a new application loaded on the device belonging to another application provider.
• the applications consist of API application programming interfaces.
• the invention also relates to a multi-application smart card, characterized in that it comprises means for implementing the method as just described.
• the card is a JavaCard type card.
• FIG. 1 schematically illustrates the mode of management of the contents of the card according to the invention, during the loading and installation phase of an application on the card
• FIG. 2 illustrates an example of the management mode of the contents of the card according to the invention , in the case an application import already installed on the map.
• the multi-application smart card is based in a preferred embodiment on the operating system JavaCard (registered trademark).
• FIG. 1 thus illustrates, in this context, a management mode of a multi-application card 10 equipped with its operating system OS, during a phase of loading an application in the card.
• the application loaded in the card consists of an API application programming interface provided by a provider of applications Pl.
• a security domain SD (P1) provider application has been implemented on the map and includes all applications and application programming interfaces belonging to this particular application provider.
• the programming interfaces form a set of Java libraries, which group together predefined procedures and objects, which can be used in a modular way and which make it possible to implement Java applications.
• AID for "Application Identifier”
• RID for "Registered Application Provider Identifier”
• OS operating system of the card upon receipt of the loading command APIl API programming interface on the card, OS operating system of the card will automatically check, as illustrated by the reference 20 of Figure 1, that the security domain SD (Pl) chosen for this application has the same RID as the application in question.
• the operating system OS searches in a list that it has at its disposal referencing all the security domains installed on the card, a security domain whose RID identifier corresponds to the AID identifier of API1 to be loaded.
• the security domain SD (Pl) is then found and the operating system OS then authorizes the loading and installation of APIl programming interface on the card by attaching it automatically to the associated security domain SD (Pl).
• the RID identifier of the application provider corresponding to the security domain that is to be associated with the programming interface API1 is transmitted at the same time as the latter.
• the verification 20 simply consists in verifying the correspondence of this RID identifier with the identifier AID of the application, to ensure that the application loaded API1 is connected to the security domain SD (P1) associated with the provider of the service. In the case where the verification described in 20 fails, the loading of the programming interface API1 is rejected by the card.
• Another object of the invention is also to ensure by specific means provided on the card that we have the authorization of the relevant application provider when the OS operating system wishes to access an application of this provider already installed on the map, in order to perform any action on this application.
• this action can consist of deleting the application or locking the use of this application on the card.
• a privilege is then set for the security domains associated with application providers who wish to control access to their applications on the card and that their authorization is formally requested. before any action to delete or lock their applications installed on the card.
• specific information makes it possible to characterize such a security domain and can then be used by the card's operating system as a criterion for determining whether access authorization exists, when it wishes to access an associated application. to this security domain to delete it for example.
• the operating system when it sees this privilege, will have to call a particular interface on this security domain for the latter to give his authorization to access the application concerned by the deletion.
• an electronic signature is added in the command issued by the operating system and this signature must be previously verified by the associated security domain.
• This access control to an application on the map; imposed by the security domain of the application provider to which this application is associated, is also implemented in the case where the action on the application consists of a use, at least partially, of said application by a new application loaded on the map belonging to another application provider. Indeed, when a new application or programming interface is loaded, to be able to operate, it may be made to use other programming interfaces already installed on the card and belonging to a security domain of another provider of software. applications. In which case, it is important, in order to preserve the property rights of this application provider, to allow the latter to control the use of its applications or APIs on the map.
• FIG. 2 illustrates an example of this management mode of the contents of the card, in the case of an application import already installed on the card by an application belonging to another application provider.
• An SD security domain (Pl) associated with the application provider Pl is installed on the multi-application smart card 10.
• the application programming interfaces API1, API2 and API3 belonging to this provider P1 have already been loaded and installed. on the map according to the management mode explained above with reference to Figure 1, thus being associated with the SD security domain (Pl).
• a programming API P2, from a P2 application provider different from Pl, is loaded on the card.
• this API interface P2 Pl wants to use the application vendor APIL already on the map. In other words, it must import resources from this API1 in order to be loaded on the map.
• the programming interface API1 which must be imported by the programming interface API P2 which is being loaded, belongs to an SD security domain (Pl) that wants to control its access.
• a privilege is defined for the security domain SD (Pl), which allows the operating system of the card to know that this security domain requires the production of a signature to allow the connection to its programming interface. APIl associated.
• the operating system OS of the card seeing this privilege, before authorizing the linking between the programming interfaces API P2 and APIl, will call an interface on the security domain SD (Pl) so that the latter gives his authorization.
• the signature which has normally been given by the application provider P1 to allow connection to its programming interface API1, must be added when the API programming interface P2 is loaded onto the card.
• the operating system uses the verification of the signature and the security domain SD (Pl) will verify the signature, to give its authorization to use the resources of its APIl programming interface. If the signature is verified successfully, the P2 API is installed on the card. If unsuccessful, the P2 API is not allowed to load because this means that this application is trying to use resources that it can not access.
• the operating system identifies the list of applications already installed on the card that wants to use the application being loaded and determines the security domains associated with these applications. applications.
• the operating system performs this access control.
• the features of the present invention may more generally apply to any multi-application electronic device, including a system. operating system intended to support a plurality of applications.
• the present invention can be applied to the management of the content of a PC-type microcomputer, the transmitting entity then referring to the owner of the PC.

Landscapes

• Engineering & Computer Science (AREA)
• Physics & Mathematics (AREA)
• Theoretical Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• General Physics & Mathematics (AREA)
• Software Systems (AREA)
• Computer Hardware Design (AREA)
• Business, Economics & Management (AREA)
• General Engineering & Computer Science (AREA)
• Mathematical Physics (AREA)
• Computer Networks & Wireless Communication (AREA)
• Microelectronics & Electronic Packaging (AREA)
• Accounting & Taxation (AREA)
• Strategic Management (AREA)
• General Business, Economics & Management (AREA)
• Stored Programmes (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=34946218

Family Applications (1)

Country Status (4)

Families Citing this family (16)

Family Cites Families (5)

• 2004
  • 2004-06-23 FR FR0406838A patent/FR2872309A1/fr active Pending
• 2005
  • 2005-06-09 WO PCT/EP2005/052684 patent/WO2006000531A1/fr active Application Filing
  • 2005-06-09 EP EP05752666A patent/EP1769470A1/de not_active Withdrawn
  • 2005-06-09 US US11/630,399 patent/US20080034423A1/en not_active Abandoned

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events