EP2008218A2

EP2008218A2 - Recording resource usage

Info

Publication number: EP2008218A2
Application number: EP07724119A
Authority: EP
Inventors: Heiko Oester
Original assignee: Giesecke and Devrient GmbH
Current assignee: Giesecke and Devrient GmbH
Priority date: 2006-04-11
Filing date: 2007-04-10
Publication date: 2008-12-31
Also published as: CN101421740B; WO2007118638A3; WO2007118638A2; CN101421740A; US20090254465A1; DE102006016994A1

Abstract

A security module (1) with a processor (2), on which applications (8-11; 8a, 8b, 9a, 9b, 10a, 10b) from various providers (50, 51, 52) are installed, comprises a recording device (7) for recording the access of the applications (8-11; 8a, 8b, 9a, 9b, 10a, 10b) to resources (2, 4, 5, 6a, 20, 21, 28) of the security module (1), recording the total resource usage caused by an application (8-11; 8a, 8b, 9a, 9b, 10a, 10b) and allocates the relevant application (8-11; 8a, 8b, 9a, 9b, 10a, 10b) to a charging station for subsequent charging. The recorded usage data are allocated to usage data sets (12-16; 13a, 13b, 14a, 14b, 15a, 15b)or provider data sets (12, 15,16) on the security module (I) directly connected to the relevant application (8-11; 8a, 8b, 9a, 9b, 10a, 10b) and/or the provider thereof (50, 51, 52) and thus permits billing of total resource use of each application (8-11; 8a, 8b, 9a, 9b, 10a, 10b) or all the applications (8-11; 8a, 8b, 9a, 9b, 10a, 10b) of a provider (50, 51, 52).

Description

E n g lis h e a n d e t e r e t e r i a n c e m e n t i o n s

The present invention relates to a method and a device for detecting a resource consumption of, in particular on security modules, installed applications.

Today, portable data carriers, such as e.g. Smart cards, used by users for the various services. These data carriers mostly use proprietary communication interfaces and are each only suitable for the use of the service offered by the publisher of the data carrier in question. This is especially true for mobile radio cards that can be used exclusively for Mobilfunkkorrirnunikation over a mobile network, but also for other types of smart cards, e.g. Bank, account, money and credit cards, access and identification cards and the like. In order to settle the use of the respective service to the user, portable and / or transactional data, which represent the extent of the claim, are collected from the portable data carriers in a propietary manner and only for the relevant service. Thus, for example, in mobile radio cards access data are collected, which reflect the extent of use of the mobile network.

Due to this technological diversification and (still) missing standards, the problem arises for the user of such portable data carriers that for almost every service a special data carrier is involved. leads and must be used. Due to the different usage data collection, the proprietary data acquisition methods and partially also due to operating system limitations, the application and use of third-party application programs on a portable data carrier is currently not easy, since the use of the services of this third-party does not log in the same form can be, as with the conventional specialized data carriers.

WO 2005/050968 proposes a method in which the use of different mobile services by a user is logged by a detection device installed on a mobile device. This has the disadvantage that on the one hand the use of mobile services is detected by the mobile device itself and the recorded usage data in their unsecured transmission between the mobile card and the mobile device are manipulated. In addition, the transfer of this teaching to the above-described problem is not apparent.

WO 2004/021131 discloses a method for billing for the use of services of a computer system via a mobile terminal of the user. However, in the context of the present scenario of documenting the use of services of third-party providers installed on a portable data carrier, this teaching is not applicable.

No. 4,643,686 discloses a method for billing mobile services to a user of a mobile device who uses a mobile communication card inserted in the mobile radio device. be taken. The corresponding detection is performed by a device of the mobile communication card, which can detect the use of various resources of the mobile card and charge the user. However, this usage data collection only detects the extent of resource usage in connection with the use of the original mobile services offered by the publisher of the mobile radio card.

It is therefore the object of the present invention to provide a flexible and reliable detection of a claim of services of any third party by means of a security module.

This object is achieved by a device and a method having the features of the independent claims. The dependent claims describe advantageous embodiments and further developments of the invention.

A security module, preferably a portable data carrier or a permanently built-in data carrier, which can execute, by means of a processor, various applications which are present in a non-volatile memory of the security module, comprises a detection device for detecting a use of resources of the unit by certain applications present on the security module. The recorded usage data is stored in the non-volatile memory and transmitted to a clearinghouse so as to bill the use of the unit's resources against a clearinghouse. When a resource usage occurs, the detection device first determines the application that consumes the resources and to which the usage data are to be assigned. The Ver- Application data are then stored in such a way assigned to the relevant application that a billing based on the usage data is possible. In this case, the assignment of the usage data to the corresponding application can be achieved by storing the usage data in a usage data record of the relevant application or by any other assignment method that allows unambiguous linking of usage data and applications, eg by references, pointers, suitable data structures or the like.

In particular, the detection means may detect the resource usage of such applications provided by one or more providers, each different from the publisher of the unit, on the unit for execution. For this purpose, the usage data record is in the form of a provider data record linked to the respective provider, to which all usage data resulting from resource usage of an application provided by this provider is assigned directly. In this case, a technically and economically useful information is obtained about which third-party equipment resources of the unit claim and to what extent this happens. The measure thus determined for the extent of the resource utilization by applications of a third-party provider can then be the basis for billing the use of resources against the respective provider.

The usage data to be recorded for a specific application can be flexibly adapted to the respective application, for example by selecting specific resources for each individual application whose use is to be recorded. For example, when the application is uploaded to the security module, associated configuration data can also be provided the application are loaded and stored in the non-volatile memory that specify those resources whose use is to be recorded for the application in question. Likewise, configuration data can be loaded for a provider that specify the resource uses of all applications of the provider to be logged in a provider data record. From this vendor-specific usage data, useful insights into the use and use of the data carrier can be obtained.

In particular, when applications of a third-party provider are loaded onto the security module, two functional application levels are to be distinguished, namely on the one hand the actual service of the application used by a user of the data carrier, eg telebanking or a multimedia application, and on the other hand the necessary access to resources of the disk. As a rule, only the former can be charged to the user, since he can not control the extent of the resource access required for this purpose, eg to a mobile radio network. For this reason, an application can also comprise two sub-applications linked to one another, each of which realizes one of the abovementioned functional levels largely separated. The usage data of the two subapplications are then managed separately, so that the service requested by the user can be offset against him, while the required resource usage is to be offset against the provider of the application. In this case, it makes sense to also create user data records which are assigned to the application and / or use data records associated with the provider and which log the extent of utilization of the service of the application of interest to the user. For example, it may be useful to create an application-related To create or update NEN usage record and a user-related user record in order to achieve a decoupling of the pure use of the service of an application and the necessary resource usage.

There are many possibilities to organize the usage data records in the non-volatile memory so that the assignment to the respective applications and / or providers is clearly possible. For example, it is possible to create a separate usage data record for each resource usage so as to achieve flexible assignment and addressability of the usage data in the distributed evaluation of the data. In addition, the usage data sets can be stored, on the one hand, in a central memory or storage area of the non-volatile memory in which the connection of the usage data records to the respective application is established via application identifications in the usage data records. Such a central memory or memory area can also be subdivided into sub-memory areas for several use data records per application. On the other hand, separate memory areas can be created for each provider and / or for each application, or separate sub memory areas for the application data sets belonging to the respective provider can be created in separate memory areas for provider data records.

The detection device is present directly on the security module, for example in the form of an operating system function or as a normal application, so that active usage data acquisition is made possible directly by the security module. As a result, manipulations of the usage data can be excluded by avoiding safety-critical data communication. The detection device is preferably designed as a device for monitoring the accesses of the applications installed on the data carrier to the resources of the data carrier, so that the detection device, when executing an application, exercises a control function with regard to its interaction with the data carrier and its resources. The usage data are created on the basis of the accesses of an application monitored by the detection device to the resources of the data carrier.

Preferably, the detection device is integrated directly into an execution environment of the data carrier for executing applications, or it is at least in sufficiently close interaction with such an execution environment to ensure effective monitoring of the applications. This execution environment may be e.g. be an interpreter for the execution of interpretable applications, so that an application can be comprehensively controlled in their execution at least in terms of resource accesses. Preferably, this execution environment, in which the detection device is integrated or with which the detection device interacts, is integrated directly into the operating system of the data carrier. If this operating system is a Java-based operating system, eg. As the smart card operating system Java Card, the detection device can be integrated directly into the Java runtime environment.

In addition, it is possible that the secured execution environment not only detects and logs accesses of applications to resources of the data carrier and logs, but first checks an access authorization of an application to the requested resources of the data carrier. So For example, certain resources can be reserved for certain applications and / or released by the detection device, so that the protected execution environment realizes a security function in the control of resource accesses of applications.

The usage data resulting from resource accesses of applications can be determined by the detection device according to various criteria, for example as a proportionate consumption of a resource by the relevant application. Also, for example, the loading and saving of an application can already be logged as a use or it can be the period of use of a resource can be detected, for example, the amount spent in the execution of the application processor time, or the extent of resource access, such as the static see storage space the installed application or the dynamic storage space requirements during their execution, or the data volume that is sent and / or received at the request of an application via data communication interfaces of the data carrier. Likewise, it is possible for the usage data to represent the first-time use of an application or the number of resource accesses of the application and / or all applications of a particular provider. Also, the usage data may be collected due to temporary or permanent resource usage or as a lump sum that accrues at certain time intervals. In a multitasking operating system, it will be useful in many cases to at least additionally take into account the execution priority of the application process causing the use, for example as independent usage information or as a weighting factor for other usage data. The portable data carrier additionally has a data communication interface, eg. B. via a contact field according to ISO 7816 for contact-type data communication, if it is the disk to a conventional smart card, in particular a mobile card. Furthermore, the security module can have a USB ("Universal Serial Bus") or MMC interface (Multimedia Card), especially if it is a disk with a high storage capacity, such as one equipped with a NAND flash memory (U In addition, other data communication interfaces are also conceivable, eg an air interface or a near field communication interface.

Via the respective data communication interfaces, the provider data sets and / or the application data records are transmitted at regular intervals or on inquiry directly to the respective clearing office, e.g. to the relevant provider of the application and / or to the

Publisher of the data medium. This may be an active transmission of the usage data records by a communication device or the detection device of the data carrier or a release of the respective data records so that they can be called up by the clearing office via the communication interfaces of the data carrier. In this way, the collected usage data records are made available to the publisher of the data carrier either for central processing or for the decentralized use to the application providers. In this case, there is the possibility that the use or provider data records are processed by the recording device in the form of billing data in order to be able to settle the resource usage caused by the respective provider by executing its application. The usage data records can first be transferred from the portable data carrier to a background system of the database. be forwarded to the respective publishers, for example in the form of individual, possibly application-related billing data. Likewise, the respective data records can be made available directly to the corresponding provider.

The present invention can in principle be used on all portable data carriers which have a processor and sufficient memory space for installing applications, for example all forms of chip cards, such as smart cards or secure multimedia cards, or USB storage media or the like. Likewise, the invention can be applied to security modules permanently installed in terminals, for example SIM in the mobile radio device or TPM (Trusted Platform Module) in the PC. In a preferred embodiment of the invention, however, the detection device is realized on a mobile communication card, in particular on a (U) SIM mobile communication card. In this case, the transmission of usage data records in the form of short messages (SMS) or over a GPRS data channel can take place or the usage data records can be read out via an air interface of a mobile radio terminal into which the mobile radio card is inserted by the publisher and / or the providers. As a recordable and / or billable resources of a portable data carrier are initially all usable by applications hardware and software components of the disk in question. In particular, the detection of resource consumption in terms of processor time, storage volume, transfer data volume of data communication interfaces, access to any co-processors and the like may be mentioned. In addition, all operating system functions or manufacturer applications can also be considered as operating resources whose use is logged by the detector.

Further features and advantages of the invention will become apparent from the following description of inventive embodiments and alternative embodiments in conjunction with the figures. Show:

1 shows a mobile communication card as an embodiment of the invention and

FIG. 2 shows further alternative and / or supplementary embodiment variants of the embodiment of FIG. 1.

FIG. 1 shows a (U) SIM mobile communication card 1 which is inserted in a mobile radio terminal 30. The mobile radio card 1 has the usual structure of a processor chip card and, in addition to the processor 2 (CPU), comprises a memory hierarchy consisting of a permanent ROM memory 3, a rewritable EEPROM memory 4 and a volatile RAM main memory 5 , as well as one or more data communication interfaces 20, 21 for communication with an external read / write device, such. The mobile radio terminal 30. The mobile communication card 1 may e.g. comprise a common ISO 7816-3 communication interface 20 and be equipped as a 2-chip or 3-chip solution with a high-speed interface 21 which supports a high-speed data transmission protocol, e.g. Eg USB ("Universal Serial Bus") or MMC ("Multimedia Card").

Instead of the EEPROM memory 4, the mobile communication card 1 may also have a rewritable mass storage device, for example a NAND flash memory, which offers a few megabytes up to one gigabyte of storage space can. Accordingly, in the rewritable memory 4, besides the applications of the publisher (PROVIDER) of the mobile communication card 1, that is usually the mobile network operator 40, installed on a mobile communication card 1, further applications 8, 9, 10, 11 can be provided by providers 50 independent of the originator of the mobile communication card , 51, 52 are stored. These applications by publisher-independent providers provide a user of the mobile communication card 1 with a number of services that are independent of the actual purpose of the mobile communication card 1, eg banking services, travel and ticket purchase and administration, customer services of department stores and similar facilities, access services. and identification functionalities and the like. In this case, the providers 50, 51, 52 independent of the publisher 40 merely use the publisher 40's access to the user via the issuing of the mobile communication card 1.

While it is nowadays easily possible to extend the typical kilobyte storage volume of conventional (U) SIM mobile communication cards to a few megabytes, the storage volume can be extended into the gigabyte range by means of the NAND flash technology for processor smart cards , For this reason, the applications 8, 9, 10, 11 can also be more extensive program packages and accordingly provide the user of the mobile communication card 1 with complex services and functionalities.

Usually both credit card payments (prepaid

Cards) as well as contractual mobile phone cards charged billing data that capture the use of the appropriate mobile network. For this purpose, at least the total duration of all mobile calls is compiled over the mobile network to the use of the mobile network at regular intervals to the user of the mobile phone card 1 to charge. This data is stored on the mobile communication card 1 in a file EF_ACM ("Accumulated Call Meter"), which reproduces the charge units collected from a specific start time, but this information is generally not determined by the mobile communication card 1 but by the corresponding mobile radio terminal 30 , which thus has to constantly access the mobile communication card 1 for updating the fee This highly restricted protocol system, which is unsuitable for monitoring resource accesses of the applications 8, 9, 10, 11, is replaced in the present invention by a detection device 7 installed directly on the mobile communication card 1 which enables a fully and non-manipulatable recording of the resource usages of all applications 8, 9, 10, 11 and their assignment to the individual providers 50, 51, 52, completely controlled by the (U) SIM mobile communication card 1.

For this purpose, use data sets 12, 13, 14, 15, 16 are set up in the rewritable memory 4, which hold the respective application data of the applications 8, 9, 10, 11 detected by the detection device 7. In this case, the use data records 12, 13, 14, 15, 16 serve as the basis for a further calculation of the respective resource usage to the corresponding providers 50, 51, 52. In the present example, the applications 8, 9 were provided by the provider 50, the application 10 by the provider 51, and the application 11 by the provider 52 for installation on the mobile communication card 1. The resource usage of all applications 8, 9, 10, 11 of each provider 50, 51, 52 is in each case in one of the associated provider records 12, 15, 16 broken down. In this way, for example, a short message traffic (SMS) generated by a specific application 8, 9, 10, 11 can be transmitted via the relevant short message traffic (SMS). Fende mobile network to the right provider 50, 51, 52 can be easily assigned and billed. In addition, accesses to all other resources of the mobile communication card 1 can also be monitored, for example, to the processor 2, to memory 4, 5 or data communication interfaces 20, 21.

Possible useful applications 8, 9, 10, 11 which may be installed on a mobile communication card 1 are e.g. Multimedia applications, bank applications for the mobile handling of banking transactions and payment transactions, administrative applications for access and identity data, tickets and the like, or customer applications for customer-specific information or local advertising of department stores, etc. If the applications 8, 9, 10, 11 communicate with external Perform devices, this can be handled both via the conventional contact-based mobile radio interface 20 and via a provided with an antenna contactless interface. In particular, it is possible in the detection of resource accesses by the application 8, 9, 10, 11, both the static resource usage, z. B. the memory requirements of the application in question 8, 9, 10, 11 during their installation, as well as the dynamic resource use to log, z. Memory usage or data volume from messages or data packets sent or received over a high speed interface 21 or via a contactless or near field communication interface (NFC).

The ascertained use data records 12, 13, 14, 15, 16 can be sent either actively from the mobile communication card 1 or its detection device 7 to a background system of the card issuer 40 and / or one of the providers 50, 51, 52. Likewise, the records 12, 13, 14, 15, 16 of the detection device 7 in a passive manner to query by the Publisher 40 or a third party 50, 51, 52 are released. An active sending 41, 53 of the records 12, 13, 14, 15, 16 can then take place for example via the mobile network in the form of short messages (SMS) or via corresponding functionalities of the "SIM Application Toolkit", while the passive release of the records 12, 13, 14, 15, 16 for collection by an access 42, 54 can be made to the corresponding data via an air interface of the mobile station 30.

While the detection device 7 can also be stored as an application in the rewritable memory 4, the operating system 6 (OS) of the (U) SIM mobile communication card 1 is preferably expanded by the functionality of the detection device 7, so that when an application 8, 9 , 10, 11 as the application process 22, 23, 24, 25 (Pl, P2, P3, P4) for this purpose, a suitable / secured execution environment in the context of the operating system 6 is ready. This execution environment 17, 18, 19, in addition to merely updating the usage records 12, 13, 14, 15, 16, may also provide security functionality in the execution of the application processes 22, 23, 24, 25 by monitoring their activities and checking their resource accesses and, if applicable, rejected if there is no access authorization and / or release.

In particular, the execution environment 17, 18, 19 controls all accesses of application processes 22, 23, 24, 25 to the data communication interfaces 20, 21 of the (U) SIM mobile communication card 1, for example by accesses to UART buffer memories (not shown) that support the data communication - Interfaces 20, 21 are upstream of the synchronization of data inputs or outputs, or monitored directly on the contact interface 20 or a high-speed interface 21. The fact that the secure execution environment 17, 18, 19 is arranged between on the one hand the running application processes 22, 23, 24, 25 and on the other hand the requested resources, the dynamic resource usage, the data transfer volume or the number of transmitted data packets application-specific and reliable from the detection device 7 and the corresponding detection device 19 and determined in the provider data set 12, 15, 16 of the corresponding provider 50, 51, 52 are stored.

The (U) SIM mobile communication card 1 is preferably a Java mobile communication card on which the operating system 6 Java Card is installed, so that in particular the applications 8, 9, 10, 11 Java applets (APPl, APP2, APP3, APP4) executed by a Java interpreter or Java virtual machine 18 (VM). In this case, the detection device 7 is integrated into the Java Card operating system 6 in such a way that, when it is executed as a detection device process 19, it enters the Java runtime environment 17 (RE), which also includes the Java virtual machine 18. Here, the Java runtime environment 17 or the integrated capture device process 19 can allocate the resource usage via an application identifier (AID) of the corresponding application 8, 9, 10, 11 causing the resource usage.

The detection device 7 can be further configured so that the determined use records 12, 13, 14, 15, 16 either regularly, z. B. after 1000 "GSM STATUS" commands, or event-dependent, for example, in an "SMS point-to-point data download" to a background system of Mobilfunkkartenhemausgebers 40 or directly to the relevant provider 50, 51, 52 is sent , This can be done, for example, by means of the "Send SMS" instruction from the "SIM Application Toolkit". Furthermore There is a wide range of different ways to collect resource usage data, e.g. As volume or time-dependent, according to the number of resource accesses or flat rate. In the case of a lump-sum determination of the usage data, this can be used as a one-off or time-dependent lump sum, eg. B. can be booked as a monthly fee.

The usage data, in addition to being used for billing purposes, may also be used elsewhere, e.g. for the statistical evaluation of the behavior and use of application 8, 9, 10, 11 and the like.

FIG. 2 illustrates, on the basis of a (U) SIM mobile communications card 1, some further variants of the invention which can be used in addition or as an alternative to the features of the invention explained with reference to FIG. The mobile communication card 1 can be used in the same way in a mobile terminal 30 and interact with this, as described in Figure 1. Identical reference numbers also designate identical features in both figures.

The detection device 7 acquires usage data which is a use of resources 2, 4, 5, 6a, 20, 21, 28 of the mobile communication card 1 by the applications 8a, 8b; 9a, 9b; 10a, 10b represent. The usage data are stored in a memory area 26 provided for this purpose of the non-volatile memory 4 and finally transmitted to a billing center for evaluation and billing. For detecting the usage data, the detection device 7 determines those applications 8a, 8b; 9a, 9b; 10a, 10b, which has caused the relevant resource use and stores the usage data in a specific assignment to a consumption data record 13a, 13b, 14a, 14b, 15a, 15b, which coincides with the cause application 8a, 8b; 9a, 9b; 10a, 10b is linked. In this case, however, it is not necessary for the consumption data to be stored in the corresponding consumption data record 13a, 13b, 14a, 14b, 15a, 15b; instead, any desired form of association between the collected consumption data and an already stored consumption data record is possible, for example References, identification marks, complex and addressable data structures and the like. Likewise, the consumption data collected during each acquisition can also be stored as separate usage data records in addition to previously used usage data records 13a, 13b, 14a, 14b, 15a, 15b and linked in an identifiable manner.

As operating means 2, 4, 5, 6a, 20, 21, 28, the use of which is recorded by the detection device 7, in principle all hardware and software resources of the mobile communication card 1 come into question. Hardware resources are e.g. the processor 2, the non-volatile memory 4, the RAM memory 5, communication interfaces 20, 21 or the like, while software resources are mainly modules and functions 6a, which provides the operating system 6 of the mobile communication card 1, but also other on the Mobile communication card 1 installed applications 28, not by the provider of the relevant, the respective resource use causing application 8a, 8b; 9a, 9b; 10a, 10b were provided in the non-volatile memory 4.

Also, the manner of using the resources 2, 4, 5, 6a, 20, 21, 28 may be different. In addition to the uses already mentioned above, it is possible to load a new application 8a, 8b; 9a, 9b; 10a, 10b to the mobile communication card 1, storing the application 8a, 8b; 9a, 9b; 10a, 10b in the non-volatile memory 4 and their first execution as a use of eg the memory 4 and / or the communication interface 20, 21 and / or the processor 2 to capture. In any case, it makes sense to use the proportionate consumption of a resource 2, 4, 5, 6a, 20, 21, 28 by an application 8a, 8b; 9a, 9b; 10a, 10b in relation to the total circumference of the operating means 2, 4, 5, 6a, 20, 21, 28 or for the use of the operating means 2, 4, 5, 6a, 20, 21, 28 by other applications 8a, 8b; 9a, 9b; 10a, 10b to register. If the mobile radio card 1 has a multitasking or multithreading-capable operating system 6, which can execute several processes concurrently, it is useful in this context to record the execution priority of the corresponding application process as operating means, since this is a preferred embodiment of the relevant application 8a , 8b; 9a, 9b; 10a, 10b represented by the processor 2, which can be charged to a provider.

The applications 8a, 8b; 9a, 9b; 10a, 10b can each consist of two subapplications whose resource accesses are recorded separately.

In this case, one of the subapplications 8a, 9a, 10a realizes the actual service used by the user of the mobile communication card 1, for example an online banking transaction via WAP ("Wireless Application Protocol"), a biometric identification or any multimedia application, such as For example, the loading or playback of digital audio or video data or the like, this service requested by the user can then be charged to him The other of the subapplications 8b, 9b, 10b implements the necessary to provide the service of the first subapplication 8a, 9a, 10a Accesses to the resources 2, 4, 5, 6a, 20, 21, 28 of the mobile communication card 1. This triggered by the request of the user resource uses that can not be charged to the user, as he usually does not overlook their scope and 9a, 9b, 10a, 10b are reduced compared to the provider of the application 8a, 8b; Therefore, it makes sense, the Scope of the use of services in user data records, which goes back to the subapplications 8a, 9a, 10a, separately from the usage data records 13a, 13b, 14a, 14b, 15a, 15b which are based on the subapplications 8b, 9b, 10b. The user data records are also stored in the non-volatile memory 4, for example in a separate user data memory area 27. Thus, for example, it is possible when executing an application 8a, 8b; 9a, 9b; 10a, 10b respectively store an application-related usage data record 13a, 13b, 14a, 14b, 15a, 15b in the usage data storage area 26 and a user-related user record in the user data storage area 27 in order to decouple the usage data attributable to the provider and the user.

In addition to the manner shown in FIG. 1, the organization of the usage data or of the usage memory area 26 can take place in a variety of other ways such that an assignment of collected usage data to usage data records 13a, 13b, 14a, 14b, 15a, 15b and applications 8b, 9b , 10b or providers is possible. On the one hand, a central storage area 26a for the usage records 13a, 13b; 14a, 14b; 15a, 15b of all applications 8a, 8b, 9a, 9b, 10a, 10b are applied. The individual usage data records 13a, 13b; 14a, 14b; 15a, 15b can then be assigned by any mechanism of the particular application, e.g. by one in the usage record 13a, 13b; 14a, 14b; 15a, 15b specified application identification AID.

On the other hand, a memory area 26b for usage data can also be divided into application-specific memory areas, each of which has an application 8a, 8b; 9a, 9b; 10a, 10b are assigned. In the sketched memory area 26b is for each application 8a, 8b; 9a, 9b; 10a, 10b a rich, in each of which use records 13a, 13b; 14a, 14b; 15a, 15b of the corresponding application 8a, 8b; 9a, 9b; 10a, 10b are stored. Moreover, it is also possible to provide a usage data storage area 26c containing the usage records 13a, 13b; 14a, 14b; 15a, 15b is not divided according to the causative applications, but according to the providers who have provided these applications 8a, 8b, 9a, 9b, 10a, 10b on the mobile communication card 1. The usage data records 13a, 13b, 14a, 14b of all applications 8a, 8b originating from the same provider; 9a, 9b are then stored in a common memory area. In principle, any memory organization or data structure is conceivable which allows the assignment of usage data records 13a, 13b; 14a, 14b; 15a, 15b to those applications 8a, 8b, 9a, 9b, 10a, 10b that have caused the corresponding resource usage. Therefore, for example, separate memory areas for each provider and each application as well as separate memory areas in the respective memory area of an application can be set up.

It may be useful, in an application 8a, 8b, 9a, 9b, 10a, 10b not always to detect each resource use, but only uses of certain predetermined resources 2, 4, 5, 6a, 20, 21, 28, for example to the To minimize administrative burden or provide certain resources 2, 4, 5, 6a, 20, 21, 28 as a basic infrastructure without billing available. This can be for both applications 8a, 8b; 9a, 9b; 10a, 10b as well as for providers by configuration data sets 8c, 9c, 10c are achieved individually with the application in question 8a, 8b; 9a, 9b; 10a, 10b are loaded onto the mobile communication card 1. The configuration data sets 8c, 9c, 10c are read out by the detection device 7 and provide information about which resources 2, 4, 5, 6a, 20, 21, 28 to monitor and bill against the relevant provider. Although the above-described embodiments relate to mobile radio cards, the present invention is not limited to such portable data carriers, but can be used on all equipped with a processor and sufficient memory security modules such. As secure multimedia cards, conventional smart cards or USB storage media or the like. The security module can also be permanently installed in a terminal. In addition to the classic application possibilities of chip cards, such as electronic stock exchange, credit card, entry card, etc., the present invention is therefore particularly applicable in connection with multimedia data carriers that manage any multimedia data and their access rights and eg in interaction with databases on the Internet to temporarily or permanently load and use multimedia data. In this application scenario too, the present invention makes it possible to uniquely link the corresponding service with a secure payment by the user or the corresponding providers of the multimedia data or applications.

Claims

Patent claims

A method in a security module (1), comprising the steps of: - acquiring usage data representing use of resources (2, 4, 5, 6a, 20, 21, 28) of the security module (1); Storing the usage data in a non-volatile memory (4) of the security module (1); Transmitting the stored usage data to an accounting agency (40, 50, 51, 52); characterized by the step of

Determining an application (8-11; 8a, 8b, 9a, 9b, 10a, 10b) stored on the security module (1) which causes the resource usage represented by the usage data and in that - in the step of storing, the usage data associated with the detected application (8 - 11, 8a, 8b, 9a, 9b, 10a, 10b) are stored.

2. The method according to claim 1, characterized in that in the non-volatile memory (4) with the application (8 - 11; 8a, 8b, 9a, 9b,

10a, 10b) associated with the determined usage data and transmitted to the clearinghouse (40, 50, 51, 52).

A method according to claim 1 or 2, characterized in that the application (8-11; 8a, 8b, 9a, 9b, 10a, 10b) is one of a provider independent of a publisher of the data carrier (1). on the security module (1) provided application (8 - 11; 8a, 8b, 9a, 9b, 10a, 10b) and in the non-volatile memory (4) as a use data set (12-16; 13a, 13b, 14a, 14b, 15a, 15b) there is a vendor record (12, 15, 16) associated with the vendor (50, 51, 52) to which the application (8-11; 8a, 8b, 9a, 9b, 10a, 10b) associated usage data.

4. Method according to one of the preceding claims, characterized in that the determined application (8-11; 8a, 8b, 9a, 9b, 10a, 10b) comprises two sub-applications linked to one another, one of the subapplications being one of a user of the data carrier ( 1) realized service and the other of the subapplications causes the use of resources.

5. The method according to any one of the preceding claims, characterized in that in the non-volatile memory (4) is a linked to the user user record, which is assigned a scope of the use of the service.

6. Method according to one of the preceding claims, characterized in that a separate use data record (12-16, 13a, 13b, 14a, 14b, 15a, 15b) and / or a separate provider data record (12, 15, 16) is recorded for each detected resource usage. and / or a separate user record is created.

7. The method according to claim 6, characterized in that the use data record (12-16, 13a, 13b, 14a, 14b, 15a, 15b) and / or the provider record (12, 15, 16) and / or the user data set to the Provider (50, 51, 52) and / or the publisher (40) actively transmitted as billing or provided for retrieval by the clearinghouse on the security module (1).

8. The method according to any one of the preceding claims, characterized in that the use data set (12-16, 13a, 13b, 14a, 14b, 15a, 15b) in separate memory areas for each application (8 - 11, 8a, 8b, 9a, 9b , 10a, 10b) and / or each provider (50, 51, 52) or in a common memory area (26, 26a, 26b, 26c) is stored.

9. The method according to any one of the preceding claims, characterized in that on the security module (1) for at least one application (8-11, 8a, 8b, 9a, 9b, 10a, 10b) and / or for at least one provider ( 50, 51, 52) there is a configuration data record (8c, 9c, 10c) indicating the resource usages to be detected for the corresponding application (8-11, 8a, 8b, 9a, 9b, 10a, 10b).

10. The method according to any one of the preceding claims, character- ized in that the resources (2, 4, 5, 6a, 20, 21, 28) comprise hardware components of the data carrier (1), in particular a processor (2), memory (4 , 5), data transmission capacity and / or communication interfaces (20, 21), and / or software components (6a, 28) of the data carrier (1).

11. The method according to the preceding claims, characterized in that use data are detected, a proportionate consumption of a resource (2, 4, 5, 6a, 20, 21, 28) by the application (8 - 11, 8a, 8b, 9a , 9b, 10a, 10b), in particular a duration and / or a scope and / or a number of resource accesses of the application (8-11, 8a, 8b, 9a, 9b, 10a, 9b).

12. The method according to any one of the preceding claims, characterized in that use data are recorded, the one Ausfüh- tion priority of the applied application (8-11, 8a, 8b, 9a, 9b, 10a, 9b).

13. Method according to one of the preceding claims, characterized in that the usage data record (12-16; 13a, 13b, 14a, 14b, 15a,

15b) is processed in the form of billing data and the resource usage caused by the application (8 - 11; 8a, 8b, 9a, 9b, 10a, 10b) is billed to the corresponding provider (50, 51, 52) with the aid of the billing data.

A security module (1) comprising a non-volatile memory (4), operating means (2, 4, 5, 6a, 20, 21, 28), detection means (7) for detecting usage data which is one of on the Security module (1) present application (8-11, 8a, 8b, 9a, 9b, 10a, 10b) caused use of the resources (2, 4, 5, 6a, 20, 21, 28) represent, and in the not volatile memory (4) and a communication device (20, 21), which transmits the stored use data to a clearing point (40, 50, 51, 52), characterized in that the detection device (7) is arranged, the application (8 - 11; 8a, 8b, 9a, 9b, 10a, 10b) which causes the resource usage represented by the usage data, and the usage data associated with the determined application (8-11; 8a, 8b, 9a, 9b, 10a, 10b) in the non-volatile memory (4).

15. Security module (1) according to claim 14 adapted for carrying out a method according to one of claims 1 to 13.

16. Security module (1) according to claim 14 or 15, characterized in that the detection device (7) has a secured execution environment. (17, 18, 19), which controls the execution of the application (8-11, 8a, 8b, 9a, 9b, 10a, 10b) by a processor (2) of the data carrier (1).

17. Security module (1) according to claim 16, characterized in that the secure execution environment (17, 18, 19) is integrated in an operating system (6) of the data carrier (1).

18. Security module (1) according to claims 16 to 17, characterized in that the operating system (6) of the data carrier (1) is a Java operating system, in particular the Java Card operating system, and the secure execution environment (17, 18, 19 ) is integrated in a Java runtime environment (17) of the Java operating system.

19. Security module (1) according to one of claims 16 to 18, characterized in that the secure execution environment (17, 18, 19) is set up in the execution of the application (8-11; 8a, 8b, 9a, 9b , 10a, 10b) only allow uses of resources (2, 4, 5, 6a, 20, 21, 28) reserved or released for the application (8-11; 8a, 8b, 9a, 9b, 10a, 10b) are.

20. Security module (1) according to any one of claims 14 to 19, characterized by a high-speed data communication interface (21), preferably a USB interface or MMC interface.

21. Security module (1) according to one of claims 14 to 20, characterized in that the security module (1) is a (U) SIM mobile communication card and / or the non-volatile memory (4) is a mass memory for storing applications (8 11, 8a, 8b, 9a, 9b, 10a, 10b), preferably a NAND Flash memory.

22. Security module (1) according to one of claims 14 to 20, characterized in that the security module (1) is permanently installed in a terminal, preferably a mobile unkendgerät.

23. A system comprising a billing server, a terminal and a security module (1) according to one of claims 14 to 22.