EP2531983A1 - Komplettierung portabler datenträger - Google Patents
Komplettierung portabler datenträgerInfo
- Publication number
- EP2531983A1 EP2531983A1 EP11703594A EP11703594A EP2531983A1 EP 2531983 A1 EP2531983 A1 EP 2531983A1 EP 11703594 A EP11703594 A EP 11703594A EP 11703594 A EP11703594 A EP 11703594A EP 2531983 A1 EP2531983 A1 EP 2531983A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- completion
- data
- record
- authorization
- security module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/355—Personalisation of cards for use
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3823—Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/388—Payment protocols; Details thereof using mutual authentication without cards, e.g. challenge-response
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/0806—Details of the card
- G07F7/0813—Specific details related to card security
- G07F7/0826—Embedded security module
Definitions
- the present invention relates to a method for completing portable data carriers and to a security module and a system for carrying out such a method.
- an operating system mask is inserted in a non-rewritable, non-volatile memory of the data carrier, for example a ROM memory, in a first production step.
- the completion step the introduced operating system mask is completed. This fixes any errors in the operating system mask and loads operating system extensions. Furthermore, the possibly corrected and extended operating system is configured appropriately.
- Corresponding completion data are thereby loaded into a non-volatile, rewritable memory of the data carrier, for example an EEPROM memory.
- the data carrier is connected to a suitable completion device on which the completion data is provided.
- EP 1 722 336 A2 describes a method for generating initialization data for a security data carrier.
- a security module for example a USB token, is provided, on which secret data for generating the initialization data are stored.
- the security module can be further configured to receive input data and to generate the initialization data by means of own routines using the secret data.
- EP 1 722336 A2 neither describes how initialization data that can be generated or generated in a secure manner can be introduced into corresponding security data carriers nor how the free use of the generated initialization data can be restricted as intended.
- Object of the present invention is to allow the completion of small amounts of portable data carriers in particular simple, effective and at the same time completely controllable.
- the present invention relates inter alia to a method for completing at least one portable data carrier connected to a completion device.
- a completion data record present on the completion device is introduced into the data carrier.
- a security module is connected to the completion device for this purpose.
- Various authorization records are provided on the security module.
- the security module includes a management application for managing the various authorization records.
- Each of the authorization records specifies exactly one complete set.
- each of the authorization data records is assigned to exactly one completion data record.
- the management application on the security module monitors completion of the at least one volume according to the specification in an authorization record selected from the various authorization records.
- the administration of the authorization data records to the security module by the administration application comprises, in particular, the introduction of new authorization data records, the blocking or deletion of existing authorization data records, which are provided, for example, by new authorization data records. replaced, as well as various status queries regarding currently available authorization records.
- the method according to the invention thus does not exclude that at least temporarily only one authorization data record is present on the security module, which is suitable for specifying a completion.
- the security module usually includes a plurality of different authorization records for specifying various completions by means of a security module.
- a specification of a completion here includes, in particular, information about a corresponding completion data record, a data carrier to be completed and / or a security module to be monitored for this purpose.
- the number of permissible completions as well as the configuration of a completion can also be specified by the authorization data record.
- the specification may include further specifications concerning the completion.
- An authorization data record thus essentially determines the completion to be carried out, by at least specifying who is allowed to complete which data carriers, which data carriers, which data carriers, and which data.
- An authorization data set can thus also be regarded in some way as a form of control or control data, since not only are those who are authorized to complete the code given, but also preferably how those authorized persons have to act, which actions are excluded and the like.
- the administration application on the security module supervises the completion by the fact that the data required for the completion only by the management application on the basis of the selected Authorization record provided.
- data may be, for example, secret data for authentication against the data carrier to be completed or test data for checking a configuration of a completed data carrier.
- the management application thus represents a kind of control or control application, but rather a passive, indirect form of control is present.
- a completion of portable data carriers can be delegated.
- the completion does not necessarily have to be done directly at the manufacturer of the data carrier, but for example at an external test department, a customer of the manufacturer or the like.
- the introduction of completion data into the data carrier can be carried out there under monitoring of the security module.
- the completion of small test series thus does not further obstruct the completion process of the large-volume series production with already extensively tested completion data at the data carrier manufacturer. This ensures a simple and effective completion process both for large series in the disk manufacturer as well as for small test series at the external site.
- the security module can manage various authorization data records which in turn are assigned to different completion data records, a flexible completion of various portable data carriers with different completion data and using only one security module is possible.
- a security module according to the invention for monitoring the completion process according to the invention is set up to be connected to a completion device.
- the security module includes an administrative application executable thereon.
- the security module is set up to include various authorization records. Each of these authorization records specifies exactly one completion and is assigned to exactly one completion record on the completion device.
- the management application is set up to manage the various authorization records on the security module.
- an inventive system for completing at least one portable data carrier comprises a completion device.
- An auxiliary application is provided on the completion device.
- the system furthermore comprises an inventive security module with administration application connected to the completion device and at least one portable data carrier also to be completed, which is also connected to the completion device.
- part of the system are various authorization data records as well as various completion scripts, which each comprise a completion data record and complete commands for introducing the completion data record into a data carrier.
- Each authorization record is assigned to exactly one completion script and specifies exactly one complete set.
- the auxiliary application on the completion device is set up to bring the various authorization data sets into the security module.
- the auxiliary application is set up to insert the completion data set encompassed by the completion script into the at least one data carrier.
- the management application is set up to monitor the completion according to the specification in the selected authorization record.
- the completion device only has to include corresponding interfaces in order to be able to be connected to the security module and a data carrier to be completed.
- smart cards of various form factors and embodiments come into consideration as portable data carriers to be completed.
- the cards are based on Java Card technology.
- a corresponding reader is needed, which may be part of the completion device or in turn is suitably connected to the completion device.
- Other designs and configurations of the portable data carrier are also possible, for example as a memory card or the like.
- the security module can likewise be present in any design, for example as a chip card or as a USB token.
- the security module is designed as a chip card with a Java-based operating system and is configured to execute so-called Java Card Applets.
- the security module thus includes at least one non-volatile, rewritable memory, for example a FLASH or EEPROM memory, and a processor for executing applications stored in the memory.
- the completion device must have a further interface for connecting to the security module or be connectable to a corresponding reader.
- the management application is preferably an application stored in a memory of the security module and executable on a processor of the security module.
- the management application is designed as a Java Card Applet, which can be executed on a security module in the form of a Java Card.
- the management application is typically personalized and supports various security mechanisms.
- Both the authorization data script and the completion script serve to automate the completion process.
- the scripts can be created using any suitable scripting language, such as Groovy or the like.
- APDUs application protocol data units
- Security modules Commands in the form of APDUs
- the administration application on the security module as well as the data carriers to be completed recognize and support the respective commands. dardkomrnandos as well as proprietary APDUs specially developed for the use according to the invention.
- the helper application on the completion device is intended to execute the authorization data script and the completion script. That the intelligence and flexibility of the procedure lies in the scripts, but not in the helper application.
- This can be regarded as the interface between an operator of the completion device, the administration application on the security module and the data carrier to be completed.
- the auxiliary application can thus be universally used to complete a wide variety of data carriers by means of various completion scripts, without being adapted for each. Nevertheless, the auxiliary application or a similar mechanism is of central importance for the completion process, since it can establish a connection between the administration application on the security module and the portable data carrier to be completed, and the complete script can only be executed by the auxiliary application.
- the helper application is also based on Java, but may also be programmed in any other suitable language.
- a selected authorization data record uniquely specifies a completion data record to be introduced during the completion into a data carrier to be completed, for example by unambiguously assigning a completion script to the authorization data record.
- the completion script which is typically provided on the completion apparatus, includes the corresponding completion record and completion commands for inserting the completion record into the volume.
- the completion script associated with the authorization record gives particular especially the completion record to be introduced.
- the specification of the completion data set or the completion script comprising the completion data record preferably takes place via a naming convention, ie the authorization data record and the completion script associated therewith have unambiguously identical name components from which the assignment to one another can be read off.
- the authorization data set may include a check value which has been derived from the associated completion data record or the associated completion script, for example a hash value.
- the completion script can then be uniquely identified by this check value. The provision of such a check value further makes it possible to detect whether the completion record or the completion script has been altered without permission.
- the completion data are then preferably introduced into the data carrier in the context of the method according to the invention in that the completion script associated with the selected authorization data record is executed by the auxiliary application on the completion device. This means in particular that the auxiliary application only has interface character and does not have to provide its own commands for introducing the completion data record.
- Each completion is specified in full by one of the various authorization records that are managed on the security module.
- Such a specification includes a number of specifications which must be complied with during the corresponding completion in order to be approved by the administration application on the security module.
- various parameters relating to completion can be determined by means of the corresponding Specify this completion specifying authorization record exactly.
- the security module is personalized before it is issued or provided, for example by means of a unique identification number.
- Each location that receives a security module for the delegated completion of portable data carriers can thus be identified or addressed via the identification number in the security module.
- the management application on the security module is personalized with the identification of the security module and bound in this way to the security module. This ensures that the administration application is used only in conjunction with the security module provided for it and only by the location to which the corresponding security module has been provided. Further, it can be ensured that a completion script intended to be used under the supervision of a particular first security module for completing portable data carriers can not serve to support completion of data volumes under the control of another, second security module.
- an authorization data record from the set of the various authorization data records on the security module, which has been selected to be a concrete completion of a portable data carrier according to the to monitor storage according to the invention.
- a selected authorization data record specifies, as already indicated, the specific security module which can monitor a completion in accordance with the authorization data record and subsequently release the corresponding completion on the completed data carrier. This is preferably done by virtue of the authorization data record comprising information that uniquely identifies the security module, for example an identification number of the security module.
- the authorization data record is provided on the security module only in a suitable manner, for example, stored in the appropriate place on the security module if the security module matches the corresponding specification in the authorization data record. In this way, it is ensured that a specific authorization data record can be used only on exactly the security modules or at exactly the locations to which corresponding security modules have been provided, which are specified in the authorization module as permitted security modules. Use of the authorization data set on other security modules not specified in the specification of the authorization data record is thus effectively prevented. Furthermore, a selected authorization data record specifies a portable data carrier which may be completed according to the specification in the authorization data record.
- a corresponding completion of the data carrier ie an introduction of completion data as well as a configuration of the completion, takes place only if the data carrier complies with the specification in the authorization data record.
- a data carrier can be designated, for example, via a hardware identification assigned thereto. As a rule, this hardware identification is the same for all volumes of a batch which comprise an identical operating system mask in their ROM.
- a Be indirectly specified media that are contained in the authorization record the data carrier relating to secret data.
- secret data can be, for example, secret keys or the like, which are required in the course of the completion process, for example for authentication to the data carrier or for establishing secure data communication with the data carrier.
- a selected authorization record further specifies how many portable volumes may be completed by the specified completion record.
- a period within which a completion must be made can be specified in the authorization record. Only when a corresponding maximum number of completions has not yet been reached, or when the predetermined period still lasts, can a completion be carried out. In this way it can be ensured that only an envisaged number of volumes, as specified by the authorization record, can be completed.
- the management application can, for example, manage a corresponding counter on the security module, which is decremented after each completing according to the specification. By means of the expiration date, it can be ensured that only current and not accidentally obsolete completion scripts are used.
- an authorization data script is created.
- This comprises an authorization data record which, as described in detail above, substantially completely specifies the completion to be carried out.
- the authorization data script comprises at least one command. By means of this command, as explained below, the authorization data record can be introduced into the security module.
- a completion script is created which includes the completion record and the completion commands already explained above.
- the authorization data script and the completion script are uniquely associated with each other.
- the authorization data script and the completion script are then transmitted to the completion apparatus. This transmission can for example be done by e-mail, but any other type of transmission is possible. These Steps are performed by the instance that has control over the entire completion process, typically the manufacturer of the volumes.
- the authorization record is then transmitted from the completion device to the security module by the auxiliary application executing the authorization data script on the completion device.
- the auxiliary application acts merely executing, ie does not provide its own command, but merely executes the command or the commands of the authorization data script in order to effect the transmission of the authorization data record to the security module.
- the auxiliary application executes the completion script in order to introduce the completion data record into the portable data carrier.
- both transmission steps are preceded by a series of further steps which ensure the safety of the entire completion system and which are described in detail below.
- the authorization record and the completion script are encrypted prior to transmission to the completion device. This prevents spying or even changing of this security-relevant data during transmission.
- the entitlement data script as such may remain unencrypted because it includes the encrypted entitlement record
- the completion script is usually fully encrypted, ie the completion record along with the completion commands. Thus, no information about the completion commands can reach unauthorized possession.
- the completion script after being received by the helper application on the completion device, is decrypted by the helper application itself.
- the helper application is the sole instance having the key to decrypt the completion script.
- the encrypted authorization record is decrypted only after being transmitted to the security module by the management application on the security module.
- the auxiliary application can nevertheless effect the transmission of the encrypted authorization data record to the security module since it can easily execute the inherently unencrypted authorization data script.
- the administration of the various authorization records is completely performed by the management application and only on the security module.
- the administration of the various completion scripts is performed by the auxiliary application on the completion device, which decodes and subsequently manages the scripts during reception, for example first stores them at a predetermined location in a memory of the completion device. Only when a concrete data carrier is to be completed is an authorization data record selected, which specifies the completion and thereby monitors it. The associated completion script is then determined for this authorization data record, which is subsequently executed by the auxiliary application.
- security-relevant data is to be completed between the security module and the one to be completed Data carrier via the auxiliary application on the completion device, with which both the security module and the disk are connected transmitted.
- the helper application authenticate to the security module at the beginning of the procedure.
- Authentication of the auxiliary application with respect to the data medium to be completed can also be provided.
- the data communication between the auxiliary application and the security module is secured, for example encrypted, during most of the completion process.
- a secure communication channel between the management application on the security module and the auxiliary application on the completion device is set up preparatory.
- a secure communication channel is established between the helper application on the completion device and the portable medium to be completed.
- the data transmission can also be performed securely between the completion device and the data carrier.
- Authentication of the auxiliary application with respect to the security module can be done by means of a password.
- This password receives the body to which the completion is delegated when the security module is deployed.
- the password is only valid for the one security module which has been personalized by the identification number for the corresponding job.
- Security module can then be derived from the password secret key. These keys are never known to the entity performing the completion. The derivation and secure management of these keys is the responsibility of the auxiliary application. These keys are outside the auxiliary application not accessible. In this respect, secure data communication with the security module, which is required for various steps of the completion process, can be carried out exclusively via the auxiliary application. Also in this way it is ensured that a completion process without an inventive interaction of the various components, here the security module and the auxiliary application on the completion device, is not feasible.
- Secret data which is required to authenticate the auxiliary application on the completion device relative to the data carrier, are provided to the auxiliary application by the administration application on the security module. This can be done in a secure way, since, as mentioned, a secure data communication between the security module and the auxiliary application is already guaranteed.
- the authentication application on the security module is provided with an authentication value by the administration application on request, which is determined by the administration application by means of data stored in the authorization data record.
- Secret keys for establishing a secure communication channel between the helper application on the completion device and the volume are also provided by the management application on the security module.
- the authorization data record comprises a special basic key of the data carrier, from which the secret key required for the production of the secure channel can be derived.
- a completion of a data carrier is further specified by the selected authorization data record in that the configuration of the data carrier is also specified precisely. It is possible to use two data carriers devices which comprise an identical operating system mask, for example in the ROM memory, as well as an identical completion record, for example in the EEPROM memory, can be configured in various ways. As such, a specification of the intended configuration is an integral part of the specification in the authorization record. Only if the completed configuration of the data carrier has occurred after the introduction of the completion data set in the manner specified by the authorization data set, the configuration is released - only then the disk is ready for further use. Such a release can be done by a release command, which receives the disk from the auxiliary application. This command may include configuration check data that completely defines the intended configuration of the volume, for example in the form of a check value. A corresponding check value is calculated by the data carrier via the current configuration. Only if both test values agree will the completion including configuration be released.
- this data carrier is individualized. This step is usually done through commands of the completion script. This first checks whether the data carrier is already individualized or not. It should be noted that a batch of identically constructed data carriers is usually not individualized before the completion, so each data carrier of the batch carries the same batch number. The batch number is used to calculate the authentication value for authentication against the data medium. In order, for example, to prevent a complete completion process of a data carrier from being "recorded" in an abusive manner and subsequently in the same way for any number of identically constructed data carriers of the same batch with the same output.
- the actual completion process ie the introduction of the completion record in the disk, an individualization step is prefixed.
- the introduction of the completion data requires, as mentioned, an authentication to the data carrier.
- a data carrier-specific authentication is required for a completion of a data carrier according to the invention.
- the batch number of the data carrier is replaced by its serial number.
- the serial number of the data carrier is data carrier-specific. Consequently, the authentication value for authentication with respect to the data carrier, which is calculated by means of the batch number now replaced by the serial number, is also data carrier-specific from this point in time.
- This change of the batch number can be regarded as an upstream completion and, as such, also requires an authentication with respect to the data carrier to be individualized. However, this can be done with an only batch-specific authentication value for an entire batch, which can thus be part of the completion script. Such an individualization can be omitted if a corresponding data carrier is already individualized because it has already been completed, for example, in an earlier production cycle, but this earlier completion is now to be replaced by a new completion.
- FIG. 1 shows components of a preferred embodiment of a system according to the invention
- a completion system 1000 includes a completion device 200, for example in the form of a personal computer (PC), a security module 100, various authorization data scripts 400, 400 ', 400 ", various completion scripts 300, 300', 300", and to be completed Data carrier 10, 11, 12, 13.
- a completion device 200 for example in the form of a personal computer (PC)
- a security module 100 for example in the form of a personal computer (PC)
- various authorization data scripts 400, 400 ', 400 " various completion scripts 300, 300', 300"
- various completion scripts 300, 300', 300 and to be completed Data carrier 10, 11, 12, 13.
- the completion device 200 comprises suitable interfaces 220, 230 in order to be connected to the security module 100 and to a data carrier 10 to be completed.
- the interfaces 220, 230 may be designed, for example, as chip card readers if the security module 100 and the data carriers 10, 11, 12, 13 to be completed are designed as chip cards.
- an auxiliary application 210 is installed, which plays the role of an interface between a user of the completion device 200, the security module 100 and a data carrier 10 to be completed in the completion method described in detail below.
- the auxiliary application 210 is set up to execute the authorization data scripts 400, 400 ', 400 "and the completion scripts 300, 300', 300", which are described below.
- the completion device 200 is further connected to a network, for example the Internet.
- the completion device 200 may receive data, such as the completion scripts 300, 300 ', 300 "and the authorization data scripts 400, 400', 400".
- the security module 100 is designed as a portable data carrier, for example as a chip card, in particular as a GlobalPlatform Java Card. Alternatively, however, the security module 100 can also be embodied, for example, as a USB token or the like.
- a management application 110 is installed executable. By means of this management application 110, various authorization data records 310, 310 ', 310 "to be described are managed in the security module 100. Furthermore, the administration application 110 is set up to monitor the completion procedure described below.
- a portable data carrier 10 to be completed for example likewise in the form of a Java Card, comprises a ROM memory (not shown) in which an operating system mask has already been inserted, as well as a rewritable, non-volatile memory (not shown), for example a FLASH Memory or an EEPROM memory in which completion data 310 is written during the completion process described below.
- a rewritable, non-volatile memory for example a FLASH Memory or an EEPROM memory
- completion data 310 By means of this completion data 310, any errors in the ROM mask are remedied.
- the operating system of the data carrier 10 is suitably supplemented during the completion by the completion data 310 and configured and booted for the first time.
- a completion script 300, 300 ', 300 "includes a completion record 310, 310', 310" as well as completion commands 320, 320 ', 320 ".
- the completion record 310, 310 ', 310 "during the completion process into a data carrier 10, 11, 12, 13 to be completed.
- the execution script 300, 310 ', 310 is executed by the auxiliary application 210 on the completion device 200, as described below.
- An authorization data script 400, 400 ', 400 "finally includes an authorization data record 410, 410', 410" as well as at least one command 420, 420 ', 420 "for introducing the authorization data record 410, 410', 410” the security module 100 the command 420, 420 ', 420 "is also executed by the auxiliary application 210 on the completion device 200.
- An authorization data record 410, 410', 410" is in each case unambiguously assigned to a completion data record 310, 310 ', 310 "and specifies one each Completion, ie in the authorization data record 410, 410 ', 410 ", all essential parameters of a completion process are predetermined, as will be described in detail below with reference to FIGS.
- the completion method described here has been developed in order to be able to delegate a completion process to an external site other than the manufacturer of the data carriers 10, 11, 12, 13 to be completed.
- an external body may be, for example, an external department of the manufacturer or a close customer. In this way, the production process at the actual manufacturer is not affected by the completion of small test quantities of data carriers.
- step S1 the security module 100 is prepared.
- the management application 110 is loaded into the security module 100 in sub-step TS11 in order to be executable there.
- the security module 100 is personalized in TS12 by providing it with a unique identity number ID. By means of this identity number, any external point which receives such a security module 100 for external completion can be uniquely addressed.
- the management application 110 is also personalized on the security module 100 in sub-step TS13: on the one hand with the identity number ID of the security module 100, on the other hand with a cryptographic key keyBD.
- the management application 110 is bound to the security module 100, thus can only be used in conjunction with the uniquely identified module 100, which carries the same ID, but not with a similar other security module.
- the key keyBD serves, as described below, for decrypting authorization records 410, 410 ', 410 "received in encrypted form by the management application 110.
- a security module 100 prepared in this way is provided to the external site in step S2.
- step S3 the auxiliary site 210 is further provided to the external site. This is to be installed on the completion device 200. As described below, the completion process without the helper application 210 can not be performed, nor without the security module 100.
- step S4 the external entity receives a number of volumes to be completed 10, 11, 12, 13. These are usually data carriers a structurally identical batch, which has not yet been completed. However, it is also possible that individual or all of the data carriers 10, 11, 12, 13 provided have already been completed in a previous production phase and are now to be completed again for test purposes, for example for improving or correcting the operating system.
- completion data and authorization data are generated and transmitted to the external site. These steps are performed by the manufacturer of the volumes to be completed whenever a new completion version, e.g. a completion record 310 for supplementing an operating system of a data carrier 10 is present.
- a new completion version e.g. a completion record 310 for supplementing an operating system of a data carrier 10 is present.
- step S5 a new completion record 310 for completing a portable volume 10, 11, 12, 13 is generated.
- This completion record 310 may be a further development of a previous version of completion data or a new or first development.
- the completion data record 310 includes exactly the data that is to be introduced into a memory of a data carrier 10, 11, 12, 13 to be completed. For this purpose, commands are generally required by means of which the completion device 200 with the data carrier 10, 11, 12, 13 communicates to transmit the completion data 310 to the data carriers 10, 11, 12, 13.
- Corresponding completion commands 320 are thus also generated and processed together with the completion record 310 in step S6 to a completion script 300.
- This completion script 300 thus comprises both completion data 310 to be introduced into the data carrier 10, 11, 12, 13 and commands 320 required therefor, specifically in the arrangement and sequence in which the commands 320 are merely specified by the auxiliary application 210 as specified by the script 300 the completion device 200 must be performed.
- the completion script 300 may be generated in any suitable scripting language, such as Groovy. If the data carriers 10, 11, 12, 13 and the security module 100 are designed as chip cards according to ISO 7816, the completion commands 320 are provided for communication with these two elements in the form of APDUs ("application protocol data unit") In step S7, the generated completion script 300 is encrypted with a transfer key key S. In this way, it is checked against spying or altering during the subsequent transfer to the completion device (see step Sil). which can then be accessed via an unsecured network, for example via e-mail via the Internet.
- APDUs application protocol data unit
- an authorization record 410 is generated. This includes a substantially complete specification of a completion.
- This authorization record 410 is clearly the completion record 310, which has been generated in step S5, assigned.
- An assignment of the completion script 300 to the authorization data record 410 may further be effected by the authorization data record 410 comprising a check digit specifying the completion script 300, for example a hash value over the complete completion script 300.
- the management application 110 may be located on the security module 100 not only recognize the completion script 300 associated with the authorization data record 410 as such, but also check for any undesired changes.
- Authorization record 410 may include, among other things, the following data:
- a hardware ID of a data carrier 10, 11, 12, 13 which can be completed by means of the completion data record 310 is generally the same for identically constructed data carriers 10, 11, 12, 13 of a batch.
- This hardware ID uses the management application 110 on the security module 100 during the later course of the completion process to check whether a present data carrier 10, 11, 12, 13 may be completed with an existing completion record 310, ie the authorization record 410 not only sets the permissible Komplett istsrtzsatz 310, but also the type of disk 10, 11, 12, 13, which may be completed with it.
- this key specifies the authorization record 410 - indirectly - a to be completed disk 10, 11, 12, 13, because if these keys does not fit to be completed to a data carrier 10, 11, 12, 13, an intended completion before gang already fail because an authentication against the disk 10, 11, 12, 13 will not be successful.
- An identification number ID of a security module 100 which may be used to complete a data carrier 10, 11, 12, 13 to be completed.
- the authorization data record 410 thus also specifies, in addition to the completion record 310 and the data carrier 10, 11, 12, 13 to be completed, who may perform this completion: Only the location that is in possession of a security module 100 clearly identified with the ID.
- a completion number that specifies how often a completion specified by the remaining parameters may be performed. After each successful completion according to the authorization data record 410, the completion number, which can be provided as a counter, is correspondingly reduced. If this counter reaches zero, the authorization record 410 is likewise blocked by the administration application 110. A check digit about the completion script 300, already described above.
- a test value which clearly specifies an admissible configuration of a data carrier 10, 11, 12, 13 to be completed. Only if the data carrier 10, 11, 12, 13 has been configured according to this configuration specification after the completion record 310 has been inserted is the completion successful.
- This check value can also be designed as a hash value.
- Information about authorization records to be blocked In this way, it becomes possible, for example, to indicate to the administration application 110 on the security module 100 that the existing authorization data record 410 replaces an earlier authorization data record already present on the security module 100.
- the former authorization record which for example specified a completion according to a previous version of a current completion script 300, is then locked by the management application 110 as part of the management of the various authorization records 410, 410 ', 410 "on the security module 100.
- step S9 the authorization record 410 is encrypted by means of another key keyBD and thus against spying and changing secured in the subsequent transfer (see step Sil) to the completion device 200.
- the authorization data record 410 is decrypted only on the security module 100 by the administration application 110. For the purpose of personalization (see TS13), this was equipped with the corresponding key.
- an authorization data script 400 is generated in step S10. This comprises, in addition to the encrypted authorization data record 410, at least one command 420 which, when executed by the auxiliary application 210 on the completion apparatus 200, directly leads to the encrypted authorization data record 410 being transmitted to the security module 100. Separate encryption of the authorization data script 400 itself is generally not necessary since the at least one command 420 does not represent a security-relevant date. In contrast, the commands 320 of the completion script 300 are considered security-relevant and, together with the completion data 310 that is also to be secured, are encrypted (cf. S7).
- the encrypted completion script 300 and the authorization data script 400 with the encrypted authorization data record 410 are subsequently transmitted to the completion apparatus 200 in step S, for example via the Internet. There can then start the actual completion process, which will be described with reference to Figures 4 to 8 below. Each time a new or updated completion record 310 is present, steps S5 through Sil may be repeated in the manner described. If a data carrier 10, 11, 12, 13 to be completed is connected to the plating device 200 via the interface 220 and the security module 110 via the interface 230, the actual completion process is initiated, as described with reference to FIG. 4 ,
- step S12 In order to be able to cryptographically secure the subsequent completion process, during which security-relevant data is transmitted, certain security measures are necessary.
- the completion process is continued in step S12 in that the auxiliary application 210 is authenticated to the administration application 110 on the security module 100. This is done by means of a password, which is known to the user of the completion device 200.
- a secure channel is established between the auxiliary application 210 and the administration application 110 in step S13.
- the necessary secret keys are derived from the auxiliary application 210 in substep TS131 from the password, without the user of the completion device 200 comes into the possession of these keys - which at the same time ensures that the security module 100 and the running administration application 110 always only in conjunction with the auxiliary application 210, but not separately.
- the secured communication connection to the security module 100 is established in sub-step TS132 by means of the secret keys.
- a transfer of the authorization data record 410 to the security module 100 can take place in step S14.
- the auxiliary application 210 executes the authorization data script 400 on the completion device 200.
- the authorization data record 410 is decrypted by the management application 110 by means of the key ke eD in step S15. Subsequently, it is checked in step S16 whether the security module ID specified in the authorization data record 410 matches the ID of the security module 100. Only if this is the case, the authorization record 410 is stored in the security module 100 in step S18. Otherwise, the completion process is aborted in step S17. In step S19, the auxiliary application 210 then decrypts the receiving completion script 300 on the completion device 200.
- the execution of the completion script 300 by the auxiliary application 210 is initiated by a user of the completion device 200 selecting the authorization data record 410 assigned to the completion script 300, which is stored on the security module 100 alongside any other authorization data records 410 ', 410 "already stored therein That is, only if the security module 100 stores an authorization data set 410, 10 ', 410 "which is unambiguously assigned to a completion script 300, 300', 300" present on the completion device 200, can the corresponding completion script 300, 300 ', 300 "are executed by the auxiliary application 210. It is also clear at this point that the entire completion method is feasible only in the interaction of the described components.
- step S21 the data carrier 10, 11, 12, 13 to be completed in one of the actual completion of the data carrier 10, 11, 12, 13 is individualized, if not already done.
- This step is necessary to prevent identical volumes 10, 11, 12, 13 of a batch from being completed identically by means of a correct "recorded" completion process performed for a volume 10 of the batch note that data carriers of the same batch have an identical batch number
- the batch number of a data carrier is used to calculate an authentication value AV required for the authentication against the data medium Accordingly, for the data carriers of a batch - as long as they have the same batch number - This makes it possible to repeatedly use a recorded completion process, including authentication, but this is to be prevented in the case of delegated completion
- the completion script 300 checks whether a respective data carrier is being checked 10, 11, 12, 13 has already been individualized, for example, because this data carrier 10, 11, 12, 13 has already been personalized once in an earlier production phase. If not, the data carrier 10, 11, 12, 13 is individualized in that the batch number stored in the data carrier 10, 11, 12, 13
- step S22 the auxiliary application 210 authenticates itself with respect to the data carriers 10, 11, 12, 13.
- the data volume-specific authentication value AV required for this purpose requests them from the administration application 110 on the security module 100 in sub-step TS 221.
- the management application 110 determines the AV and provides it to the auxiliary application 210 in sub-step TS222 before the auxiliary application 210 finally authenticates in sub-step TS223 by means of the acquired AV at the data carrier 10, 11, 12, 13.
- the auxiliary application 210 requests in sub-step TS231 the information required for this, from one on the security module 100 as part of the authorization data record 410 stored media key derived from the management application 110. This determines the corresponding keys using the authorization data record 410 and provides them to the auxiliary application 210 in sub-step TS232.
- the secure communication connection to the data carrier 10, 11, 12, 13 represents the auxiliary application 210 using these derived keys in substep TS233.
- Step S23 is optional, especially since the completion records transmitted in the following step S24 can already be encrypted independently of an encryption of the transmission channel.
- step S24 the completion record 310 is transferred by means of a command of the completion script 300 to the data carrier 10, 11, 12, 13 and stored there, for example in the EEPROM memory. If necessary, this memory is previously completely deleted as a precautionary measure.
- the disk after step S24 preferably by means of a reset signal restarted (warm reset) and analogous to step S22 authentication is performed, but now compared to the completed (J AVA card) operating system of the disk he follows. Subsequently, the operating system of the data carrier 10, 11, 12, 13 updated and completed by means of the completion data 310 is configured in step S25.
- step S26 this configuration is checked on the basis of the specifications in the authorization data record 410.
- the auxiliary application 210 requests a corresponding configuration check value in sub-step TS261 from the administration application 110 on the security module 100.
- the management application 110 creates this check value after the specification in the authorization data record 410 and provides the auxiliary application 210 with the appropriate value in sub-step TS262.
- data carrier-specific data parts can be entered.
- the auxiliary application 210 transmits the configuration check value obtained in sub-step TS263 to the data carrier 10, 11, 12, 13. There, the received configuration test value compared to a test value internally calculated via the current configuration in the substeps TS264, TS265.
- the data carrier 10, 11, 12, 13 has thus been configured according to the specifications in the authorization data record 410, the corresponding configuration in the data carrier 10, 11, 12, 13 is released in substep TS267 and the counter relating to the allowable completion number in the permission record 410 is decremented by the management application 110 by one. Otherwise the completion process will be canceled unsuccessfully.
- the release of the completion means that the completed data carrier 10, 11, 12, 13 is ready for further production steps, for example an initialization or a subsequent personalization to a future user.
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- General Physics & Mathematics (AREA)
- Strategic Management (AREA)
- Computer Security & Cryptography (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Finance (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Computer Networks & Wireless Communication (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102010006987A DE102010006987A1 (de) | 2010-02-05 | 2010-02-05 | Komplettierung portabler Datenträger |
PCT/EP2011/000494 WO2011095337A1 (de) | 2010-02-05 | 2011-02-03 | Komplettierung portabler datenträger |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2531983A1 true EP2531983A1 (de) | 2012-12-12 |
Family
ID=43821732
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP11703594A Ceased EP2531983A1 (de) | 2010-02-05 | 2011-02-03 | Komplettierung portabler datenträger |
Country Status (5)
Country | Link |
---|---|
US (1) | US9076280B2 (de) |
EP (1) | EP2531983A1 (de) |
CN (1) | CN102754131B (de) |
DE (1) | DE102010006987A1 (de) |
WO (1) | WO2011095337A1 (de) |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1242094A (zh) * | 1996-12-23 | 2000-01-19 | 德意志银行股份公司 | 芯片卡和对于运用芯片卡的过程 |
DE19720431A1 (de) * | 1997-05-15 | 1998-11-19 | Beta Research Ges Fuer Entwick | Vorrichtung und Verfahren zur Personalisierung von Chipkarten |
US6367011B1 (en) * | 1997-10-14 | 2002-04-02 | Visa International Service Association | Personalization of smart cards |
TW527604B (en) * | 1998-10-05 | 2003-04-11 | Toshiba Corp | A memory systems |
US6609199B1 (en) * | 1998-10-26 | 2003-08-19 | Microsoft Corporation | Method and apparatus for authenticating an open system application to a portable IC device |
US7036738B1 (en) * | 1999-05-03 | 2006-05-02 | Microsoft Corporation | PCMCIA-compliant smart card secured memory assembly for porting user profiles and documents |
AU2001222074A1 (en) | 2000-01-19 | 2001-07-31 | Softcard Solutions Limited | Programming data carriers |
CA2405477A1 (en) | 2000-04-11 | 2001-10-18 | Visa International Service Association | Integrated production of smart cards |
FR2810139B1 (fr) * | 2000-06-08 | 2002-08-23 | Bull Cp8 | Procede de securisation de la phase de pre-initialisation d'un systeme embarque a puce electronique, notamment d'une carte a puce, et systeme embarque mettant en oeuvre le procede |
DE10107527A1 (de) * | 2001-02-17 | 2002-09-05 | Deutscher Genossenschafts Verl | Verfahren zur eindeutigen Zuordnung eines digitalen, extern erzeugten kartenindividuellen Datums zu einer Chipkarte |
EP1798660A3 (de) * | 2002-09-11 | 2007-09-12 | Koninklijke Philips Electronics N.V. | Verfahren mit Kollisionsvermeidung zum Lesen mehrerer kontaktloser Datenträger |
WO2004025896A1 (en) * | 2002-09-16 | 2004-03-25 | Telefonaktiebolaget Lm Ericsson (Publ) | Loading data onto an electronic device |
DE10340181A1 (de) | 2003-09-01 | 2005-03-24 | Giesecke & Devrient Gmbh | Verfahren zur kryptographischen Absicherung der Kommunikation mit einem tragbaren Datenträger |
JP4070708B2 (ja) * | 2003-11-14 | 2008-04-02 | 株式会社リコー | セキュリティ確保支援プログラム及びそのプログラムを実行するサーバ装置並びにそのプログラムを記憶した記憶媒体 |
CN1954345B (zh) * | 2004-05-28 | 2012-11-21 | 国际商业机器公司 | 智能卡数据事务系统以及用于提供存储和传输安全的方法 |
US20050269401A1 (en) * | 2004-06-03 | 2005-12-08 | Tyfone, Inc. | System and method for securing financial transactions |
FR2873467A1 (fr) | 2004-07-26 | 2006-01-27 | Proton World Internatinal Nv | Enregistrement d'une cle dans un circuit integre |
DE102005020313A1 (de) | 2005-05-02 | 2006-11-16 | Giesecke & Devrient Gmbh | Vorrichtung und Verfahren zur Erzeugung von Daten für eine Initialisierung von Sicherheitsdatenträgern |
US8261091B2 (en) * | 2006-12-21 | 2012-09-04 | Spansion Llc | Solid-state memory-based generation and handling of security authentication tokens |
US8732846B2 (en) * | 2007-08-15 | 2014-05-20 | Facebook, Inc. | Platform for providing a social context to software applications |
EP2063400A1 (de) * | 2007-11-23 | 2009-05-27 | Gemalto SA | Virtuelles Sicherheitszugangsmodul |
-
2010
- 2010-02-05 DE DE102010006987A patent/DE102010006987A1/de not_active Withdrawn
-
2011
- 2011-02-03 CN CN201180008518.4A patent/CN102754131B/zh not_active Expired - Fee Related
- 2011-02-03 US US13/577,148 patent/US9076280B2/en not_active Expired - Fee Related
- 2011-02-03 WO PCT/EP2011/000494 patent/WO2011095337A1/de active Application Filing
- 2011-02-03 EP EP11703594A patent/EP2531983A1/de not_active Ceased
Non-Patent Citations (2)
Title |
---|
None * |
See also references of WO2011095337A1 * |
Also Published As
Publication number | Publication date |
---|---|
DE102010006987A1 (de) | 2011-08-11 |
CN102754131B (zh) | 2015-07-08 |
CN102754131A (zh) | 2012-10-24 |
US9076280B2 (en) | 2015-07-07 |
US20120311681A1 (en) | 2012-12-06 |
WO2011095337A1 (de) | 2011-08-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102012110499B4 (de) | Sicherheitszugangsverfahren für elektronische Automobil-Steuergeräte | |
DE60308990T2 (de) | Schutz eines gerätes gegen unerwünschte verwendung in einem sicheren umfeld | |
EP2289225B1 (de) | Verfahren zum personalisieren eines sicherheitselements eines mobilen endgeräts | |
DE102010027586B4 (de) | Verfahren zum kryptographischen Schutz einer Applikation | |
DE102007011309B4 (de) | Verfahren zur authentisierten Übermittlung eines personalisierten Datensatzes oder Programms an ein Hardware-Sicherheitsmodul, insbesondere einer Frankiermaschine | |
DE102013013179A1 (de) | Verfahren zum Betreiben eines Sicherheitselements | |
EP2689401B1 (de) | Verfahren zum betreiben einer geldkassette mit kundenspezifischen schlüsseln | |
EP1073019A2 (de) | Verfahren und Vorrichtung zur Übertragung von Daten auf SmartCards | |
EP2272199A1 (de) | Verteilte datenspeicherungseinrichtung | |
EP1784756B1 (de) | Verfahren und sicherheitssystem zur sicheren und eindeutigen kodierung eines sicherheitsmoduls | |
DE3705736A1 (de) | Verfahren zum sichern von programmen und zur integritaetskontrolle gesicherter programme | |
DE10218795B4 (de) | Verfahren zum Herstellen eines elektronischen Sicherheitsmoduls | |
EP1801724B1 (de) | Verfahren und Anordnung zum Bereitstellen sicherheitsrelevanter Dienste durch ein Sicherheitsmodul einer Frankiermaschine | |
EP3407242A1 (de) | Personalisieren eines halbleiterelements | |
EP2524333B1 (de) | Verfahren zum bereitstellen eines sicheren zählers auf einem endgerät | |
DE102018005284A1 (de) | Chip-Personalisierung eines eingebetteten Systems durch einen Dritten | |
WO2011095337A1 (de) | Komplettierung portabler datenträger | |
WO2017108192A1 (de) | Validierung und ausführung von provisionierungsdaten auf appliances | |
DE10218835A1 (de) | Verfahren zum Herstellen eines elektronischen Sicherheitsmoduls | |
DE102008047639A1 (de) | Verfahren und Vorrichtung zum Zugriff auf ein maschinenlesbares Dokument | |
EP1634252A1 (de) | Verfahren zum laden von tragbaren datenträgern mit daten | |
DE102004058020A1 (de) | Verfahren zur Personalisierung von Chipkarten | |
DE102014210434B4 (de) | Verfahren und System zur Herstellung einer gesicherten Kommunikationsverbindung zwischen einer ersten und zweiten Vorrichtung | |
WO2003088053A2 (de) | Programmsicherungsverfahren | |
EP3329415A1 (de) | Chipkarte mit hauptapplikation und persistenzapplikation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20120905 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20141211 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: GIESECKE+DEVRIENT MOBILE SECURITY GMBH |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20181112 |