FR2734934A1 - SECURE INTELLIGENT CHIP CARD - Google Patents

Abstract

Smart cards are cards which control the execution of their own transactions, so as to avoid providing specialised card readers for each type of transaction. The protected smart card system (1) of the invention is a smart card storing a transaction management programme (13) written in a high-order language requiring interpretation by a command interpreter (12) through a basic operating system (10) with systems for protecting memory access. Hence, an unauthorised user cannot interfere with the integrity of a transaction, since he can only access the smart card through the high-order language, and the high-order language commands which he might divert would necessarily be intercepted by the command interpreter (12) and by the protection systems of the basic operating system (10).

Description

 The term “smart card” denotes cards, in general of the format of a credit card, but also tokens provided with an electronic microcircuit, based on memories and a microcontroller, arranged to allow the unfolding of a transaction for example banking or health.

 Smart cards communicate with their environment by means of readers equipped with sufficient communication elements to allow and facilitate the execution of their transaction.

 Currently known smart cards, equipped with memories and possibly a microcontroller, are used only as a data medium embellished with security devices. The intelligence necessary for the conduct of transactions is transferred to the level of the readers, which are either autonomous and provided with a keyboard, a display and a memory managed by a microcontroller provided with a program for controlling the transaction process. specific to the planned transaction, or transparent and used as access to a computer system programmed specially for the planned transaction.

 This deferral of the intelligence necessary to conduct a transaction, either at the level of the card reader, or that of a computer system associated with the card reader, has the disadvantage of requiring a specialization of the reader or the computer system associated according to the type of transaction. So, if you want to change the type of transaction, it is not enough to change the programming of the smart card; the reader must also be changed, if it is autonomous, or the associated computer system, if the reader is transparent. This is an obstacle to the development of smart card applications.

 To avoid this drawback, it has been proposed to bring intelligence, that is to say the management of the transaction, to the level of the smart card itself. The smart card is no longer satisfied with carrying out the instructions which come to it from the outside, accompanying them with any security measures; it takes control of the progress of the transaction by giving its instructions to the reader who becomes a simple performer and who, therefore, can be trivialized and used with smart cards of different kinds, each specialized in very varied transactions.

 However, there is a security problem, since the unauthorized user must be deprived of any possibility of modifying the transaction management program stored within the smart card.

 The present invention aims to solve this problem in a simple manner, while leaving the possibility to the promoter of a transaction to modify it at leisure.

Its purpose is an intelligent, secure smart card, equipped with a memory and a microcontroller, remarkable in that it comprises, stored in memory:
- a basic operating system, in executable code adapted to the type of microcontroller, managing access to its memory with authorization keys for certain zones,
a command interpreter ensuring the interface between a transaction management program and the basic operating system, and
- at least one file containing said transaction management program written in an advanced and interpreted language, ineffective without translation by the command interpreter.

Advantageously, the transaction management program file is placed in a rewritable part of the memory, of the type
EEPROM, while the basic operating system and the interpreter of the interpreted language are arranged in a non-rewritable part of the memory, of ROM type.

The transaction management program stored in the smart card communicates with the outside world of the smart card through the operating system and can therefore be subject to corruption attempts. The fact that it is in advanced and interpreted language makes it possible to thwart such attempts at corruption since these instructions require, to be executed by the microcontroller of the smart card, a translation by a command interpreter using itself even on a basic operating system with memory access security. The shell and the basic operating system being inaccessible from outside the smart card, thanks to the memory access security, they are immune to corruption attempts. the transaction management program can read or write the data stored in the part
EEPROM of the memory but always under control of the basic operating system which verifies compliance with the security of access to the memory.

 The advanced and interpreted language also has the advantage of making it possible to write more compact programs than an uninterpreted language so that it saves memory space.

Other characteristics and advantages of the invention will emerge from the description below of an embodiment of the invention given by way of example. This description will be made below with reference to the drawing in which:
FIG. 1 is a block diagram of the electronic microcircuit fitted to a smart card,
FIG. 2 schematically illustrates the different logic layers of the program of a microcontroller of a secure smart card according to the invention, and
- Figure 3 is a block diagram of the organization of the memory of a smart card.

 A distinction is made in Figure 1 the electronic microcircuit or chip of a smart card. This comprises a microcontroller <CPU) 2 in connection with random access memory (RAM) 3, non-rewritable read-only memory (ROM) 4 and rewritable memory (EEPROM) 5 and a serial port of outputs 6 leading to a set from six to eight electrical contacts 7 allowing access to a reader.

 FIG. 2 shows the large partitions of the programs for managing the microcontroller of an intelligent smart card according to the invention.

The most buried layer is a basic operating system 10, in executable code adapted to the type of microcontroller of the smart card 1, which manages its memory with the usual security systems and an external communication protocol 11. This system basic operating system 10 is associated with a command interpreter 12 recognizing different instructions in advanced language. The entire base operating system 10 and the command interpreter 12 resides in non-rewritable ROM read-only memory and is surmounted by an external layer constituted by a program 13, in advanced and interpreted language, for managing the transaction. to which the smart card is dedicated, which is stored in rewritable EEPROM read-only memory.

 The transaction management program 13 communicates with the outside of the smart card via the operating system.

For security, all the instructions it contains, in particular those which have an action on the memory: read, write, erase, are in advanced language. Therefore, they are misunderstood by the microcontroller if they have not been interpreted by the command interpreter 12, which translates them and obligatorily directs them to the basic operating system 10 and its security systems. Thus, an unauthorized user cannot undermine the integrity of a transaction since he has access to the smart card only at the level of the advanced and interpreted language, and that the orders of this advanced language and interpreted that it could hijack are necessarily intercepted by the command interpreter 12 and by the security systems of the basic operating system 10.

 The use of an advanced language to be interpreted, at the level of exchanges of the smart card with the outside, has also the advantage, in addition to the security which it brings, of making it possible to write more compact programs. and therefore save memory space.

 The memory, which is made up of living (RAM) 3, and non-rewritable (ROM) 4 and rewritable (EEPROM) 5, has its rewritable dead (EEPROM) 5 organized, as shown in Figure 2, in a tree structure of directories whose accesses are regulated according to their levels by means of locks which must be opened beforehand using keys constituted by codes. The root directory 20 is said to be master. It gives access to one or more lower levels of directories 21, 22 known as dedicated directories. The master and dedicated directories contain elementary files 200, 210, 220 and 221.

 The master directory 20 is provided with first-class protection and contains in its elementary files a master transaction management program. The manager of the master directory can transmit rights to various application promoters of lower ranks registered at the levels of dedicated directories and offer them in the menu the applications that he authorizes.

 The dedicated directory 21 is provided with second rank protection and intended for a promoter of second rank applications which does not generally have access to the master directory but which can create, in its directory, applications in advanced language with rights access.

 The dedicated directory 22 is provided with third-tier protection and intended for a third-party application promoter and so on.

 Each transaction management application or program, whether master or dedicated, is always written in advanced interpreted language and never takes control of the microcontroller without going through the shell and the operating system security chain of based.

 To carry out a transaction, the secure smart card communicates in advanced and interpreted language, via the basic operating system, with a reader which provides it with the necessary resources such as keyboard, display, connection with one or more other smart cards or with a computer system. This communication is done, in the work-study program, on the initiative of the reader who is electrically in charge of exchanges but under the logical control of the smart card which defines the successive stages of a transaction by the running of its management program. transaction.

 The reader has electrical control of the exchanges thanks to two commands which it sends alternately to the smart card, on the one hand, a request for the provision of a packet of instructions and data developed within of the smart card called "card message" and on the other hand, a report declaration associated with a report message on the execution of instructions previously received in card messages. These two commands are advantageously the "get response" command and the "envelope" or "execute" command defined in the ISO7816 / prEN726 standards.

The "get response" command consists of sending a binary message comprising five successive one-byte fields:
- a first field named "CLA" containing a byte identifying the class of the instruction, for example, instructions reserved for banking applications,
- a second field named "INS" containing the CO byte in hexadecimal identifying the type of command, "get response",
- a third reserved field named "P1" containing byte 00 in hexadecimal,
a fourth reserved field named "P2" containing the byte 00 in hexadecimal, and
- a fifth field called "The field" containing a byte whose value n corresponds to the number of bytes expected in response to the smart card.

 This "get response" command results in a response from the smart card called "Data field" containing n bytes of data, n being the number declared in its "Le field" field, and two bytes "SW1, SW2" of card report .

The "execute" command consists of sending a binary message consisting of five successive one-byte fields and a final data field of several bytes:
- a first field named "CLA" containing a byte identifying the class of the instruction, for example, instructions reserved for banking applications,
- a second field named "INS" containing the AE byte in hexadecimal identifying the type of command "execute",
- a third reserved field named "P1" containing byte 00 in hexadecimal,
- a fourth reserved field named "P2" containing byte 00 in hexadecimal,
a fifth field named "Lc field" containing a byte whose value n corresponds to the number of bytes of the message accompanying the "execute" command, and
- a sixth final field named "Data field" containing the n bytes of data announced in the fifth field "Lc field". This "execute" command results in a response from the two-byte smart card "SW1, SW2" giving a card report.

 The command "envelope" has the same constitution as the command "execute" and differs from it by the value of the byte of its second field "INS" identifying the command which is worth C2 in hexadecimal.

 In these three messages, the respective fields "The field" and "Lc field" declare the length of the expected card message or that of the report message from the reader by means of which pass the instructions to be executed and associated data from the smart card as well as in return the reports of the actions executed by the reader and resulting data.

 When the smart card is inserted into the reader, the smart card is detected and powered up by the reader, which sends it a reset order according to lSO7816-3 standard. This results in an initialization process of the microcontroller of the smart card which ends by sending to the reader, from the smart card, an acknowledgment response to the reset command and by a start-up of the smart card transaction management program for a first processing cycle leading to the preparation of the first card message which will be communicated to the reader as soon as the latter requests it through 'a request to make a message available in the form of a "get response" command.

 Upon receipt of the acknowledgment response to the reset command, the reader begins a first data exchange cycle with the smart card.

 During this first exchange cycle, the reader sends a request for message provision, in the form of a "get response" command, to the smart card to request the sending of the card message. prepared by the smart card after initialization.

 The smart card, on receipt of such a request by the "get response" command, sends the prepared card message to the reader.

 The reader receives the card message, identifies the data it contains, interprets the message, executes the commands requested and responds to the smart card with a report statement in the form of an "envelope" or "execute" command. ", with a report message reporting to the smart card how it has achieved what has been asked of it and the result of this processing. This completes the first exchange cycle.

 On receipt of the "envelope" or "execute" command of the first exchange cycle from the reader, the smart card continues to run its transaction management program during a second processing cycle during which it first checks the correct execution of the card message it has just sent using the report message, then prepares another card message.

 The reader then begins a second exchange cycle by sending the smart card a second "get response" command to read the new card message. After processing the data of this new card message, the reader reports on its execution to the smart card, by means of a report message incorporated into a second "envelope" or "execute" command which closes the second cycle. exchange.

 The intelligent smart card, on receipt of this second "envelope" or "execute" command from the reader then begins, still under the control of its transaction management program, a third processing cycle during which it checks the correct execution of the card message which it has just sent, by means of the report message received from the reader, then prepares another card message.

 The reader then begins a third exchange cycle by sending the smart card a third "get response" command to receive this card message.

 The processing cycles, at the initiative of the smart chip card, and of exchange, at the initiative of the reader, follow one another according to the transaction management program stored in the smart chip card.

 In accordance with ISO7816-3, reader 1 is electrically in charge of exchanges, but the transaction takes place on the initiative of smart card 4, which is intelligent.

 The reader can have several smart card connectors.

In this case, only one smart card at a time controls the transaction. The smart card that controls the transaction is said to be "active". The others are said to be "passive". The smart card declared active is the first which is capable of providing a response to a "get response" instruction from the reader.

Claims (3)

 1. Secure smart card (1), equipped with a memory (3, 4, 5) and a microcontroller (2), characterized in that it includes stored in memory:  - a basic operating system (10), in executable code adapted to the type of microcontroller (2), managing access to its memory (3, 4, 5) with authorization keys for certain zones,  a command interpreter (12) providing the interface between a transaction management program (13) and the basic operating system (10), and  at least one file containing said transaction management program (13) written in an advanced and interpreted language, ineffective without translation by the command interpreter (12).  2. Secure smart card according to claim 1, characterized in that said file containing a transaction management program (13) in advanced and interpreted language is stored in a read-only and rewritable EEPROM type memory area.  3. Secure smart card according to claim 1, characterized in that said basic operating system (10) and said command interpreter (12) are stored in an area of the ROM and not rewritable ROM type.