GB2585641A - Robust data storage algorithm - Google Patents

Robust data storage algorithm Download PDF

Info

Publication number
GB2585641A
GB2585641A GB1909754.2A GB201909754A GB2585641A GB 2585641 A GB2585641 A GB 2585641A GB 201909754 A GB201909754 A GB 201909754A GB 2585641 A GB2585641 A GB 2585641A
Authority
GB
United Kingdom
Prior art keywords
data
buffer
pointer
backup
start location
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1909754.2A
Other versions
GB201909754D0 (en
Inventor
Farrokh Baroughi Alireza
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zwipe AS
Original Assignee
Zwipe AS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zwipe AS filed Critical Zwipe AS
Priority to GB1909754.2A priority Critical patent/GB2585641A/en
Publication of GB201909754D0 publication Critical patent/GB201909754D0/en
Publication of GB2585641A publication Critical patent/GB2585641A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/0223User address space allocation, e.g. contiguous or non contiguous base addressing
    • G06F12/023Free address space management
    • G06F12/0238Memory management in non-volatile memory, e.g. resistive RAM or ferroelectric memory
    • G06F12/0246Memory management in non-volatile memory, e.g. resistive RAM or ferroelectric memory in block erasable memory, e.g. flash memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1032Reliability improvement, data loss prevention, degraded operation etc
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/17Embedded application
    • G06F2212/177Smart card
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/72Details relating to flash memory management
    • G06F2212/7209Validity control, e.g. using flags, time stamps or sequence numbers

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Techniques For Improving Reliability Of Storages (AREA)

Abstract

A robust process for writing to a memory system 200 of a device 20 with an intermittent power supply utilises at least four reserved memory locations including a first pointer buffer 204a, a second pointer buffer 204b, a first backup buffer 206a and a second backup buffer 206b. At the end of a first write operation, an address indicating the end of the data is stored in the first pointer buffer 204a, and a backup of the end of the data is written to the first backup buffer 206a. During a second write operation, further data is written starting from the address in the first pointer buffer 204a, the end of the further data is written to the second pointer buffer 204b, and a backup of the further data is written to the second backup buffer 206b. The first buffers 204a, 206a and second buffers 204b, 206b are then overwritten m an alternating fashion in successive write operations. This process ensures that it is always possible to revert to a previous, stable state of the memory system 200 in the event of corruption occurring due to interruption of a write operation, such as due to interruption of the power supply.

Description

ROBUST DATA STORAGE ALGORITHM
The present disclosure relates to a method of writing new data to a memory, and particularly to a method of writing new data to a memory in a robust manner such that existing data already stored in the memory is not corrupted in the event that the writing process is interrupted.
Biometrically-authorisable devices such as smartcards are becoming increasingly more widely used and include, for example access cards, credit cards, debit cards, pre-pay cards, loyalty cards, identity cards, and so on. Smartcards are electronic cards with the ability to store data and to interact with the user and/or with outside devices, for example via contactless technologies such as RFID and NFC. These cards can interact with suitable reader devices to communicate information in order to enable access, to authorise transactions and so on.
Smartcards with biometric authorisation can interact with the user via sensors, such as a fingerprint sensor, in order to enable access to secure features of the smartcard after successful verification of the user of the smartcard, for example in order to authorise financial transactions.
Challenges arise for biometrically-authorisable devices such as smartcards in relation to the constraints from the size of the device, the available power resource, and the required functionality. For a smartcard the size of the device may be limited by ISO standards for credit cards in the case of a smartcard operable as a payment card. Thus, all components must fit into a tightly packaged form, as well as ideally being flexible and lightweight.
Such devices are often passive, i.e. with no on-board battery, and power is harvested using an antenna within the device that electrically couples with an external antenna of the smartcard reader. However, this may mean that the power supply to the smartcard is unexpectedly interrupted, for example if the user moves the card too far away from the reader. This can cause problems when using particular types of memory.
Commonly, smartcards use solid-state, non-volatile memory, such as Flash memory, to store data. In the case of a biometrically-authorisable smartcard, this data may include reference templates for the biometric authentication. This type of memory stores data in blocks (sometimes called pages) which each have a capacity that is generally much smaller than that the capacity of the entire memory, with common block sizes being 512, 2048 or 4096 bytes. -2 -
Figure 9 illustrates an example of a conventional memory system 10 of the type which could be used in a biometrically-authorisable smartcard. The memory 10 comprises a plurality of data storage blocks 12, and a pointer buffer 14. The pointer buffer 14 is typically a reserved data block within the memory 10, but it will be appreciated that the pointer buffer may be stored in a separate memory.
As illustrated in Figure 9, data is stored in the data storage blocks 12.
However, the data may not fill a whole number of blocks. In a smartcard, memory capacity is often limited, and it is therefore desirable to avoid wasted space within the memory. Consequently, when new data is written, it will be written immediately following the existing data.
The pointer buffer 14 stores an address of a location in the memory 10 where new data may be written to, i.e. a location immediately after the existing data stored in the data storage blocks 12.
With reference to Figure 10, when new data is to be written to the memory 10, a write start location is determined based on the memory location stored in the pointer buffer 14. The new data is then written to the data storage blocks 12, starting from the write start location. Once all of the new data has been written to the data storage blocks 12, a new write start location is determined and is then written to the pointer buffer 14, overwriting the memory location stored there previously.
As discussed above, smartcards powered by energy harvesting are susceptible to sudden and unexpected loss of power. If this occurs whilst a block of data is being written to the memory, then that block of data may be corrupted.
In one situation, where this occurs whilst writing the new write start location to the pointer buffer 14, then the memory system 10 may be unable to determine where new data is to be written. This can, in some instances, mean that the memory 10 must be reset resulting in the existing data stored in the memory 10 being erased.
In another situation, where this occurs when writing data to a block already containing data, this can corrupt the entire block. This is because, when writing data to a block, the previous content of the block is read, the new data is appended to the existing data, the entire block is cleared, and then the combined data is written to the block. This can result in destruction or corruption of the existing data if the write process is interrupted between clearing of the old data and completion of writing of the new data. -3 -
Viewed from a first aspect, the present invention provides a process for writing to a memory system of a biometrically-authorisable device, the memory system comprising a plurality of data storage blocks and four reserved memory locations including a first pointer buffer, a second pointer buffer, a first backup buffer and a second backup buffer, the process comprising: identifying a first write start location from the first pointer buffer; sequentially writing new data to the data storage blocks, starting from the first write start location; writing data from a data storage block containing a second write start location to the second backup buffer, the second write start location being a location immediately after the new data written to the data storage blocks; and writing the second write start location to the second pointer buffer.
In accordance with the present technique, a data backup is stored after writing new data, and the pointer buffer containing the previous write start location is not overwritten until at least the next write has been successfully completed.
Thus, it is possible to recover the memory system to a stable state, even if a write operation is interrupted. This is important in biometric-authentication devices because corruption of the memory could render the device inoperable, possibly requiring the memory to be reset, thereby clearing enrolled biometric data and giving rise to security weaknesses.
A write operation can be interrupted if supply of power to the device is interrupted during the operation. Write interruptions are common in biometricallyauthorisable devices, as they are usually relatively low-power devices, meaning that the write process takes a relatively long time, and they often do not have an onboard power source such as a battery or super capacitor. In the case of a contactless biometrically-authorisable device, removal of the device from the excitation field or fluctuations in the excitation field may mean insufficient power is available. Similarly, in a case of a contact biometrically-authorisable device, movement or removal of the device may interrupt power supplied via a mechanical connection between a contact chip of the device and a power source such as a reader.
The biometrically-authorisable device preferably does not include an onboard power source. The term "power source" is intended to refer to any device capable of storing sufficient power to complete a full write operation, and may include devices such as a battery or a super capacitor. -4 -
The biometrically-authorisable device may be configured to power the memory system by contactless power transfer, such as by use of energy harvested from an excitation field,. The excitation field may be, for example, generated by a device reader or by a dedicated power-transmission unit. Optionally, the biometrically-authorisable device may also be configured for contactless transmission of data between the external device and the biometrically-authorisable device.
Additionally, or alternatively, the biometrically-authorisable device may be configured to power the memory system by a physical connection to a power source. For example, the device may include a contact pad for connection to a power source, such as a device reader or by a dedicated power-supply unit. Optionally, the contact pad may also be configured for transmission of data between the power source and the biometrically-authorisable device.
The method may comprise determining that data in the first pointer buffer was written more recently than data in the second pointer buffer. That is to say, the method identifies the write start location that was stored most recently, and uses this as the location where new data is to be stored.
The "write start location" refers to a memory location indicative of where the memory system is to begin writing new data. This preferably comprises, for example, a location immediately following the last data written in a preceding write operation.
The method may comprise determining that data in the first pointer buffer has not been corrupted and that data in the second pointer buffer has not been corrupted. Thus, in this case, the method would be applicable to the situation where the preceding write operations have not been interrupted whilst writing the pointer buffers.
Alternatively the process may comprise determining that data in the second pointer buffer has been corrupted. In this situation, the process has identified that the second pointer buffer was corrupted during a preceding write operation, and has therefore used the uncorrupted first pointer buffer. The process may further comprise determining that data in the first pointer buffer has not been corrupted. However, this step may be unnecessary if the above write process has been followed previously, as it should not be possible for interruption of the write operation to result in corruption of both point buffers. -5 -
Determining that the data has not been corrupted may be performed in any suitable manner. For example, the first pointer buffer may comprise a verification code, which may be used to verify the integrity of the data. Alternatively, for example, the data may be checked against an expected data format.
The process may comprise determining that data in a data storage block containing the first write start location is incorrect or corrupted; and may further comprise performing a data recovery operation based on backup data stored in the first backup buffer.
The "backup data" that is stored to the backup buffers may comprise a copy of part or all of the data stored in the respective data storage block. For example, in some embodiments, it may correspond only to the data stored before the write start location or it may correspond only to all of the data in the data storage block, except for a portion of data that is not expected to be used, such as the last byte, which may permit a verification byte to be stored in the backup buffer, as will be discussed later.
Determining that data in a data storage block containing the first write start location is incorrect or corrupted may comprise comparing part or all of the data in the data storage block containing the first write start location to part or all of the data stored in the first backup buffer, and may comprise determining that the data in the data storage block containing the first write start location is incorrect or corrupt if the compared data does not match. That is to say, the data in the data storage block may be compared to a previously-stored backup, which was stored following a previous successful write operation, and if it does not match, then corrective action may be required.
In some embodiments, the part of the data to be compared may be the data preceding the first write start location. This is because, if the data preceding the first write start location is correct, then any incorrect data following this location will simply be overwritten during the next write location. This situation may occur if a subsequent write operation was started, and was interrupted after writing to the first data storage block but before completion, i.e. before writing the next write start location.
Preferably, after the data recovery operation, part or all of the data in a data storage block containing the first write start location has been overwritten with part or all of the backup data stored in the first backup buffer. For example, in some embodiments, only the data before the first write start location may be changed, -6 -since data after this location will be overwritten during the next write operation. In other embodiments, for example where the last byte of the backup data buffer is used as a verification byte, this verification byte may not be written to the data storage block containing the first write start location.
The process may comprise writing a first verification code to the second backup buffer. The first verification code may permit verification of the integrity of data stored in the second backup buffer. The method may further comprise writing a second verification code to the second pointer buffer. The second verification code may permit verification of the integrity of data stored in the second pointer buffer. The use of verification codes permits simple detection of an interrupted write operation. Either or both verification code may use any suitable means, such as storing a hash of the respective data or using an error-correcting code, such as by implementing a cyclic redundancy check.
Each of the reserved memory locations is preferably an independently writable memory location. Thus, interruption of the write operation to one memory location does not affect data stored in other write locations.
At the start of the process, the first backup buffer preferably contains data from a data storage block containing the first write start location before the new data is written to the data storage blocks. That is to say, a previous write operation was successfully completed and the data written in the last memory location has been backed up to the first backup buffer. Thus, if the write operation being performed is interrupted, it is possible to recover to the previous state of the memory system.
In one embodiment, the new data comprises a new biometric reference template. The biometric reference template may comprise an image of a biometric identifier or may comprise a set of minutiae representing a biometric identifier. The method described is particularly applicable to biometric enrolment, i.e. the storing of new biometric reference templates to the device, as this typically requires a relatively large quantity of data to be stored and so is particularly susceptible to interruption.
In one aspect, the present invention may provide a method for enrolling biometric data onto a biometrically-authorisable device comprising: receiving biometric data representing a biometric identifier of a user of the device, generating a biometric reference template based on the biometric data, and writing the -7 -biometric reference template to a memory system of the biometrically-authorisable device using the method described above.
The biometric reference templates may be suitable for use in a subsequent biometric-authorisation process. The biometrically-authorisable device may be configured to verify the identity of a user of the device by comparison of received biometric data against one or more biometric reference templates stored in the memory system of the device. The biometrically-authorisable device may be configured to authorise an action responsive to successful verification of the identity of the user.
The received biometric data (either for enrolment or for authorisation) may be received from a biometric sensor, which may be on-board the biometricallyauthorisable device.
It will be appreciated that the method described above describes is a single write operation. Further write operations may implement a similar process, but where the first and second buffers are reversed. Thus, the process may further comprise: identifying the second write start location from the second pointer buffer; sequentially writing further new data to the data storage blocks, starting from the second write start location; writing data from a data storage block containing a third write start location to the first backup buffer, the third write start location being a location immediately after the further new data written to the data storage blocks; and writing the third write start location to the first pointer buffer.
The above example relates to a system including only two buffers.
However, it will be appreciated that the process may be implemented using three or more buffers, where the process writes to the buffers in a predetermined sequence, or indeed random sequence, so long as the most recently written buffers are not overwritten.
Thus, an alternative process may further comprise: identifying the second write start location from the second pointer buffer; sequentially writing further new data to the data storage blocks, starting from the second write start location; writing data from a data storage block containing a third write start location to a third backup buffer, the third write start location being a location immediately after the further new data written to the data storage blocks; and writing the third write start location to a third pointer buffer. -8 -
In both cases, the biometrically-authorisable device may be powered down between writing the second write start location to the second pointer buffer and identifying the second write start location from the second pointer buffer.
Viewed from a second aspect, the present invention also provides a process for recovering data in a memory system of a biometrically-authorisable device, the memory system comprising a plurality of data storage blocks, the memory system further comprising four reserved memory locations including a first pointer buffer, a second pointer buffer, a first backup buffer and a second backup buffer, the process comprising: identifying a first write start location from the first pointer buffer; determining that data in a data storage block containing the first write start location is corrupted; and performing a data recovery operation based on backup data stored in the first backup buffer.
The described process illustrates how data may be recovered in the event of data corruption, where the data has been written using the process described above. It will be appreciated that any one or more or all of the optional and preferred features described above in respect of the first aspect may apply also to this method.
The process may comprise determining that data in the first pointer buffer was written more recently than data in the second pointer buffer. That is to say, identifying that the first pointer buffer contains the address of the end of the last, completed write operation.
The process may comprise determining that data in the first pointer buffer has not been corrupted and that data in the second pointer buffer has not been corrupted.
After the data recovery operation the data in a data storage block containing the first write start location may have been overwritten with the backup data stored in the first backup buffer.
The second pointer register preferably contains a second write start location, and the second backup buffer contains data from a data storage block containing the second write start location.
Viewed from a third aspect, the present invention provides a computer program product comprising computer readable instructions that when executed will cause a memory system of a biometrically-authorisable device to perform a process according to one or both of first aspect and the second aspect described above. -9 -
Optionally, the processes may include any one or more or all of the optional features described.
The computer program product may optionally be stored on a tangible, computer-readable medium.
Viewed from a fourth aspect, the present invention provides a biometrically-authorisable device comprising a memory system having a plurality of data storage blocks and four reserved memory locations including a first pointer buffer, a second pointer buffer, a first backup buffer and a second backup buffer. The biometricallyauthorisable device may be configured to perform a process according to one or both of the first and second aspects described above. Optionally, the processes may include any one or more or all of the optional features described.
The biometrically-authorisable device may comprise an on-board biometric sensor, and wherein the new data may comprise a biometric reference template generated from data received from the biometric sensor. The device may be configured to perform an enrolment operation as described above.
For example, the biometrically-authorisable device may be configured to receiving biometric data representing a biometric identifier of a user of the device, for example from the biometric sensor, and may be further configured to generate a biometric reference template based on the biometric data. The device may be configured to write the biometric reference template to the memory system of the biometrically-authorisable device.
The biometrically-authorisable device may be any one of the following: an access token, an identity token, a cryptographic token, a payment device/card, credit device/card, a debit device/card, a pre-pay device/card, a loyalty device/card, or the like. It will be appreciated that a device may operate as a payment device, whilst not necessarily taking the form of a card, by emulating a payment card. The biometric biometrically-authorisable device may be a smartcard. The smartcard preferably has a width of between 85.47 mm and 85.72 mm, and a height of between 53.92 mm and 54.03 mm. The smartcard may have a thickness less than 0.84 mm, and preferably of about 0.76 mm (e.g. ± 0.08 mm). More generally, the smartcard may comply with ISO 7816, which is the specification for a smartcard.
The biometrically-authorisable device is preferably a fingerprint-authorisable device. That is to say, the biometric sensor may comprise a fingerprint sensor.
-10 -Each of the reserved memory locations is preferably an independently writable memory location. Thus, interruption of the write operation to one memory location does not affect data stored in other write locations. This is common where the memory is flash memory. The memory is preferably a non-volatile memory, and may comprise non-volatile, solid-state memory, such as flash memory.
Each of the reserved memory locations may be a location within the same memory as the data storage blocks. However, in other embodiments, one or more of the reserved memory locations may be located within a separate memory within the memory system.
The biometrically-authorisable device preferably comprises a biometric-authentication module, which may be for performing biometric verification of a user of the device. The biometric-authentication module may comprise the memory system. The biometric-authentication module may be configured to receive biometric data from the biometric sensor, which may represent a biometric identifier of the user which may have been presented to the biometric sensor.
The biometric-authentication module may be configured to compare received biometric data to reference biometric data.
The biometrically-authorisable device may comprise a communication module, such as a secure element in the case of a payment device. The communication module may be configured to communicate with a reader external to the biometrically-authorisable device. The communication may be performed via one or both of contactless communication and contact communication.
The communication module may be configured to transmit data from the biometrically-authorisable device responsive to verification of the identity of the user of the device. For example, the communication module may receive a signal from the biometric-authentication module indicating successful biometric verification of the identity of the user. The data may, for example, be transmitted to a suitable reader device. The data transmitted by the biometrically-authorisable device may be authorisation to perform an action, such as to authorise a financial transaction for example in the case of a payment card. The communication may be secure and/or encrypted communication.
The communication module is preferably configured not to transmit the biometric data from the biometrically-authorisable device. The communication module may comprise a second memory system, which may be separate to the memory system described above.
It will be appreciated that the second memory system of the communication module may utilise the techniques described above.
In one or more embodiments, the communication module and the biometricauthentication module may be virtual modules implemented within a single unit on the device. For example, the functionality of both the communication module and the biometric-authentication module may be provided by a single secure element within the biometrically-authorisable device.
Viewed from a fifth aspect, the present invention also provides a process for writing to a memory system of a biometrically-authorisable device, the memory system comprising a plurality of data storage blocks and four reserved memory locations including a first pointer buffer, a second pointer buffer, a first backup buffer and a second backup buffer, the process comprising: identifying a first write start location from the first pointer buffer; writing data from a data storage block containing the first write start location to the first backup buffer; sequentially writing the new data to the data storage blocks, starting from the first write start location; and writing a second write start location to the second pointer buffer, the second write start location being a location immediately after the new data written to the data storage blocks.
It will be appreciated that this technique operates in substantially the same manner as the process of the first aspect. However, instead of writing the backup data at the end of a write operation, it is instead written at the beginning of the next write operation. The process may optionally include any one or more or all of the optional and preferred features described above.
The invention also may provide a computer program product comprising computer readable instructions that when executed will cause a memory system of a biometrically-authorisable device to perform a process according to the fifth aspect, and optionally also the method of the second aspect.
Similarly, the invention may provide a biometrically-authorisable device comprising a memory system having a plurality of data storage blocks and four reserved memory locations including a first pointer buffer, a second pointer buffer, a first backup buffer and a second backup buffer, wherein the biometricallyauthorisable device is configured to perform a process according to the fifth aspect, and optionally also the method of the second aspect.
Viewed from a sixth aspect, the present invention provides a process for writing to a memory system of a biometrically-authorisable device, the memory -12 -system comprising a plurality of data storage blocks and three reserved memory locations including a first pointer buffer, a second pointer buffer, a third pointer buffer, the process comprising: identifying a first write start location from one of the first pointer buffer, the second pointer buffer and the third pointer buffer; sequentially writing new data to the data storage blocks, starting from the first write start location; and writing the second write start location sequentially to the first pointer buffer, the second pointer buffer and the third pointer buffer.
The method may comprise determining that a write start location stored in each of the first pointer buffer, the second pointer buffer and the third pointer buffer are the same.
If a write start location stored in the first pointer buffer is different from a write start location stored in the second pointer buffer and the third pointer buffer, the write start location stored in the second pointer buffer and the third pointer buffer may be used as the first write start location. Optionally, the write start location in the first pointer buffer may be changed to match the write start location stored in the second pointer buffer and the third pointer buffer.
If write start locations stored in each of the first pointer buffer, the second pointer buffer, and the third pointer buffer are all different, the write start location stored in the first pointer buffer may be used as the first write start location.
Optionally, the write start location in the second pointer buffer and in the third pointer buffer may be changed to match the write start location stored in the first pointer buffer.
If a write start location stored in the third pointer buffer is different from a write start location stored in the first pointer buffer and the second pointer buffer, the write start location stored in the first pointer buffer and the second pointer buffer may be used as the first write start location. Optionally, the write start location in the third pointer buffer may be changed to match the write start location stored in the first pointer buffer and the second pointer buffer.
Certain preferred embodiments of the present disclosure will now be described in greater detail, by way of example only and with reference to the accompanying drawings, in which: Figure 1 shows a biometrically-authorisable smartcard; Figure 2 shows a first embodiment of a memory system including a plurality of data storage blocks and three pointer buffers; -13 -Figure 3 shows a second embodiment of a memory system including a plurality of data storage blocks, two pointer buffers and two backup buffers; Figure 4 shows the memory system of Figure 3 with new data written to the data storage blocks; Figure 5 shows the memory system of Figure 4 with further new data written to the data storage blocks; Figure 6 shows the memory system of Figure 4 with the further new data written to the data storage blocks, wherein corruption has occurred when writing to a pointer buffer; Figure 7 shows the memory system of Figure 4 with the further new data written to the data storage blocks, wherein corruption has occurred when writing to a backup buffer; Figure 8 shows the memory system of Figure 4 with the further new data written to the data storage blocks, wherein corruption has occurred when writing to the data storage blocks; Figure 9 shows a prior art memory system including a plurality of data storage blocks and a pointer buffer; and Figure 10 shows the prior art memory system of Figure 9 with new data written to the data storage blocks.
By way of example the following embodiments are described in the context of a biometrically-authorisable device in the form of a biometrically-authorisable smartcard that uses power harvested from a card reader. However, it will be appreciated that biometrically-authorisable devices incorporating this method may take many other forms, including a wearable device, a dongle or a device for biometrically-secured interactions with the "Internet of Things". Furthermore, the method may have application in many other fields of technology, aside from biometrically-authorisable devices.
A fingerprint-authorisable smartcard 20 configured to operate as a payment card will be first described with reference to Figure 1.
The smartcard 20 comprises a laminated card body 22 incorporating an integral, on-board fingerprint sensor 24. An exemplary technique for manufacturing such a card body 22 is described in WO 2013/160011 Al. The card body 22 preferably has a width of about 86 mm, a height of about 54 mm and a thickness of about 0.76 mm, i.e. such that it conforms to typical credit card dimensions, although in some embodiments the thickness may be increased to accommodate the -14 -fingerprint sensor 24. More generally the smartcard 20 may be an ID-1 identification card in accordance with ISO 7810.
The fingerprint sensor 24 is an area fingerprint sensor, and is mounted within the card body 22 so as to be exposed from and substantially flush with a surface of the card body 22. The fingerprint sensor 24 is positioned so as to be convenient for a user of the card to present a finger (commonly their thumb) to the fingerprint sensor 24 whilst holding the smartcard 20.
Full access to the secure features of the smartcard 20 (e.g. payment functions) requires biometric authorisation. The card body 22 houses a fingerprint-processing circuit for providing biometric authorisation by verification of the identity of the user of the smartcard 20 based on a fingerprint captured by the fingerprint sensor 24. The smartcard 20 is configured to perform the biometric authorisation within a secure memory of the smartcard 20, i.e. such that the user's biometric data is never transmitted off of the smartcard 20.
The fingerprint-processing circuit is arranged to receive a scanned fingerprint of a finger or thumb presented to the fingerprint sensor 24 and to compare the scanned fingerprint to pre-stored, reference fingerprint data. A determination is then made as to whether the scanned fingerprint matches the reference fingerprint data. In a preferred embodiment, the time required for capturing a fingerprint image and authenticating the user of the card 20 is less than one second.
If a match is determined between the scanned fingerprint and the reference fingerprint data, then the fingerprint-processing circuit takes appropriate action depending on its programming. In this example, if there is a match with the reference fingerprint data, then then the fingerprint-processing circuit instructs a secure element of the smartcard 20 to authorise a payment.
The smartcard 20 includes a wireless communications interface comprising a tuned circuit that is tuned to receive an RF signal from the card reader, for example using near field communication (NEC) in the case of a payment card. The payment authorisation may be transmitted from the smartcard 20 to a suitable card reader via the wireless communications interface.
The wireless communications interface is further configured to harvest energy when exposed to a radio-frequency excitation field, such as that generated by the card reader, in order to power the components of the fingerprint-processing circuit. In this embodiment, the smartcard 20 is "passive", which means that it does -15 -not include a battery. Consequently, the fingerprint-processing circuit is powered only by energy harvested from the excitation field. As explained previously, this means that removal of the smartcard 20 from the excitation field can result in an unexpected loss of power to the fingerprint-processing circuit.
The fingerprint-processing circuit includes a memory storing one or more reference fingerprint templates. These fingerprint templates are generated by an enrolment process, during which the user repeatedly presents their finger to the fingerprint sensor 24 so as to capture reference images across the surface of the finger. This is necessary because, due to power and size constrains, the fingerprint sensor 24 is typically smaller than an average finger.
During an enrolment process, the smartcard 20 is powered by placing it within an excitation field as the enrolment process is performed. A fingerprint is scanned by the fingerprint sensor 24, and the scanned fingerprint is processed to generate a reference fingerprint template. The process for generation of a fingerprint template is well known in the technological field, and will therefore not be described herein.
After generation of the reference template, it is then written to the memory. However, if the power to the memory is interrupted whilst the reference template is being written to the memory, there is a risk that the memory could be corrupted.
This could then require the memory to be cleared and the user would need to repeat the enrolment process.
The memory of the smartcard 20 is a solid-state, non-volatile memory, such as Flash memory. This type of memory stores data in blocks (sometimes called pages) which each have a capacity that is generally much smaller than the capacity of the entire memory, with common block sizes being 512, 2048 or 4096 bytes.
Figure 2 illustrates a first embodiment of a memory system 100 which could be used in the smartcard 20.
The memory system 100 comprises a plurality of data storage blocks 102, and three pointer buffer 104. The pointer buffers 104 each comprise a reserved data block within the memory 100, but it will be appreciated that the pointer buffers 104 may be stored in a separate memory.
Significantly, each of the pointer buffers 104 are separate blocks within the memory system 10, i.e. such that they may be written to independently. Thus, a loss of power occurring whilst writing to one of the pointer buffers 104 will not affect the data stored in any of the other pointer buffers 104.
-16 -When writing data to the memory 100, the data is stored in the data storage blocks 102. However, the data often does not completely fill a whole number of blocks. In a smartcard 20, memory capacity is often limited, and it is therefore desirable to avoid wasted space within the memory 20. Consequently, when new data (e.g. a new reference template) is written to the memory 100, it will be written immediately following the existing data.
The pointer buffers 104 should each store the same address of a location in the memory 100 where new data may be written to, i.e. a location immediately after the existing data stored in the data storage blocks 102.
When new data is to be written to the memory 100, the memory 100 first checks that the data stored in each of the three pointer buffers 104 is the same. If the data is the same, then a write start location is determined based on the memory location stored in the pointer buffers 104. The new data is then written to the data storage blocks 102, starting from the write start location. Once all of the new data has been written to the data storage blocks 102, a new write start location is determined. The new write start location is a location immediately following the new data written to the data storage blocks 102. The new write start location is then written in turn to each of the pointer buffers 104, overwriting the memory location stored there previously.
In the event of a loss of power whilst writing the new write start location to the pointer buffers 104, the present memory system 100 permits detection of the failure.
If the loss of power occurs whilst writing to the first pointer buffer 104a, then the value in the first pointer buffer 104a will differ from the values of the second and the third pointer buffers 104b, 104c, which will be the same as one another. As the new write start location was not stored in any of the pointer buffers 104, it is not possible to determine how much data was written and so the last template stored cannot be used. However, the value of the first pointer buffer 104a can be reset to match the values of the second and the third pointer buffers 104b, 104c. Thus, only the most recently written data is lost and the previously stored data is not lost.
If the loss of power occurs whilst writing to the second pointer buffer 104a, then the values in each of the first pointer buffer 104a, the second pointer buffer 104b and the third pointer buffers 104b, 104c, which differ from one another. In this situation, the data written to the first pointer buffer 104a is not corrupted and correctly corresponds to the new write location. Consequently, the value of the first -17 -pointer buffer 104a can be written to the second and the third pointer buffers 104b, 104c, and the process can safely continue with no loss of data.
If the loss of power occurs whilst writing to the third pointer buffer 104c, then the value in the third pointer buffer 104c will differ from the values of the first and the second pointer buffers 104a, 104b, which will be the same as one another. In this situation, the data written to the first and second pointer buffers 104a, 104b is not corrupted and correctly corresponds to the new write location. Consequently, the value of the first or second pointer buffers 104a, 104b can be written to the third pointer buffer 104c, and the process can safely continue with no loss of data.
It should be noted that this process requires three pointer buffers to correctly identify an error. If only one pointer buffer is used, as in the prior art memory system 10, then the memory system 10 cannot determine whether the value is the new value, the old value or a corrupted value. If two pointer buffers are used, the memory system can determine that one of the pointer buffers has been corrupted because they will not match, but cannot determine which pointer buffer contains the correct value (i.e. does the first pointer buffer contain the new write location or does the second pointer buffer contain the old write location).
The proposed memory system 100 permits recovery after a loss of power occurring whilst writing data to one of the pointer buffers 104. However, it does not address a loss of power occurring whilst writing data to the first data storage buffer.
Consequently, a loss of power in this situation could still corrupt the existing data within the memory 100.
Certain solutions may be used to address this problem. For example, certain memories exist which allow the modification of individual bytes of data, as opposed to the present system which only permits whole blocks of data to be written. Furthermore, the memory system 100 could be operated such that each reference template starts at the beginning of a block, which is less space efficient but also avoids the problem of data corruption.
Figures 3 to 8 illustrate a second embodiment of a memory system 200 which could be used in the smartcard 20.
Figure 3 shows the memory system 200 storing initial data, Figure 4 shows the memory system 200 after a first write operation has been successfully completed, Figure 5 shows the memory system 200 after a second write operation has been successfully completed, and Figures 6 to 8 show the memory system after respective second write operations that were interrupted, e.g. by a loss of -18 -power to the smartcard 20, resulting in data corruption within the memory system 200.
The memory system 200 comprises a plurality of data storage blocks 202, two pointer buffers 204 and two backup buffers 206. Each of the pointer buffers 204 and each of the backup buffers 206 comprises a reserved data block within the memory 200, but it will be appreciated that the buffers may be stored in a separate memory.
Significantly, each of the pointer buffers 204 and each of the backup buffers 206 are separate blocks within the memory system 10, i.e. such that they may be written to independently. Thus, a loss of power occurring whilst writing to one of these buffers 204, 206 will not affect the data stored in any of the other buffers 204, 206.
As in the memory system 10 of Figures 9 and 10 and the memory system 100 of Figure 3, data is stored in the data storage blocks 202. However, the data often does not completely fill a whole number of blocks. In a smartcard 20, memory capacity is often limited, and it is therefore desirable to avoid wasted space within the memory 20. Consequently, when new data (e.g. a new reference template) is written to the memory 200, it will be written immediately following the existing data.
Referring to Figure 3, the first pointer buffer 204a initially stores a first write start location 208a, which is the address of a location in the memory 200 where new data may be written to, i.e. a location immediately after the existing data stored in the data storage blocks 202.
The first backup buffer 206a stores first block backup data 210a, which is a copy of the block containing the first write start location, i.e. the memory location stored in the first pointer buffer 204a. For example, in Figure 3, the first block backup data 210a corresponds to the data stored in the third data storage block 202c.
The first pointer buffer 204a contains a first pointer verification byte 212a for verifying the integrity of the first pointer buffer 204a. This may be generated using a hash function, for example by passing the first write start location 208a through the hash function. Alternatively, the first pointer verification byte 212a may verify the integrity of the first pointer buffer 204a by verifying the first write start location 208a stored in the first pointer buffer 204a. For example, the first pointer verification byte -19 - 212a may comprise a hash of data stored before the first write start location 208a in the data storage block 202c containing the first write start location 208a. Additionally, the first backup buffer 206a optionally contains a first backup verification byte 214a for verifying the integrity of the first backup buffer 206a.
Optionally, this may be for verifying the integrity of the entire first backup buffer 206a. This may be generated using a hash function, for example by passing the first block backup data 210a through the hash function.
At least the last byte of the first backup buffer 206a will always be empty because the corresponding block 202 of the memory 200 contains the write start location. That is to say, the last byte will always be unused because if the last data storage block 202 that was written was full then the write start location would be in the next data storage block 202. Consequently, the verification byte 214a can be included as the last byte in the first backup buffer 206a, which will simplify subsequent processing.
The process for performing a first write operation to the memory system 200 will now be described.
When performing a new write operation, the memory system 200 performs the following steps: 1) Determine a write start location 2) Perform a data recovery operation, if required 3) Perform the write operation When performing a first write operation, the memory system 200 must first determine the relevant write start location. In Figure 3, the preceding write operation was completed successfully and no data loss or corruption occurred.
Accordingly, the pointer buffers 204a, 204b do not contain any corrupted data. The first pointer buffer 204a contains the first write location 208a and the second pointer buffer 204b has not yet been used. Therefore, when new data is to be written to the memory 200, the write start location is determined as the first write start location 208a, which is the memory location stored in the first pointer buffer 204a.
As no data loss or corruption occurred previously, a data recovery operation is not required.
The new data is then written to the data storage blocks 202 as a first write operation, starting from the first write start location 208a.
Once all of the new data has been written to the data storage blocks 202, a new, second write start location 208b is determined. The second write start -20 -location 208b, in this embodiment, is the memory location immediately following the new data written to the data storage blocks 202. In the illustrated embodiment, with reference to Figure 4, the second write start location 208b is within the sixth data storage block 202f.
Next, the content of the data storage block 202 containing the new start location is read as second block backup data 210b. In this example, the data storage block 202 containing the new start location is the sixth data storage block 202f. Then a hash of the block backup data 210b is performed to generate a second backup verification byte 214b.
The second block backup data 210b and the second backup verification byte 214b is then written to the second backup buffer 206b.
Finally, a hash of the second write start location 208b is performed to generate a second pointer verification byte 212a, and the second write start location 208b and the second pointer verification byte 212b are written to the second pointer buffer 204b.
Figure 4 shows the state of the memory system 200 after completion of the first write operation. In Figure 4, the content of the pointer buffers 204 and the backup buffers 206 are as follows: * The first pointer buffer 204a contains the first write location 208a and the first pointer verification byte 212a. The first write location 208a was the memory location where the first write operation commenced, which in this example was a location in the third data storage block 202c.
* The first backup buffer 206a contains the first block backup data 210a and the first backup verification byte 214a. The first block backup data 210a corresponds to the contents of the third data storage block 202c before the first write operation commenced.
* The second pointer buffer 204b contains the second write location 208b and the second pointer verification byte 212b. The second write location 208b is the memory location immediately following the data written to the data storage blocks 202 during the first write operation, which in this example is a location in the sixth data storage block 202f.
* The second backup buffer 206b contains the second block backup data 210b and the second backup verification byte 214b. The second block backup data 210b corresponds to the contents of the sixth data storage block 202f after the first write operation was completed.
-21 -In Figure 4, both pointer buffers 204a, 204b now contain respective write start locations 208a, 208b. Therefore, in order to determine the write start location for performing a second write operation, a determination must be made as to which of the first write location 208a in the first write buffer 204a and the second write location 208b in the second write buffer 204b should be used.
Firstly, an assessment is made as to whether the data in either of the first pointer buffer 204a or the second pointer buffer 204b has been corrupted. This will be discussed later. If either of the first pointer buffer 204a or the second pointer buffer 204b is corrupted, then the other, uncorrupted one of the pointer buffers 204 will be used to determine the new write start location. In the example in Figure 4, the first write operation was completed without loss of power and so neither of first pointer buffer 204a or the second pointer buffer 204b has been corrupted.
Secondly, an assessment is made as to which of the first pointer buffer 204a or the data in the second pointer buffer 204b was written most recently. In some examples, the memory system 200 stores reference biometric data which is not overwritten unless the card is reset. Thus, a simple assessment may be made as to whether the first write start location 208a stored in the first pointer buffer 204a or the second write start location 208b stored in the second pointer buffer 204b is greater.
In other examples, a counter value or a time may be written into the pointer buffers 204 when writing the write start locations, so as to indicate which was written to most recently. Thus, these values or times may be compared to make the determination.
In this example, the memory system 200 determines that the second pointer buffer 204b was written to most recently (during the first write operation). Thus, a write start location is determined based on the second write start location 208b stored in the second pointer buffer 204b.
Next, an assessment is made as to whether the previous write operation was interrupted in a way such that a data recovery operation is required.
This may be checked in various ways. However, most preferably, this is performed by checking the respective block backup data, in this case the second block backup data 210b stored in the second backup 206b, against the data storage block containing the new write start location, in this case, this is the sixth data storage block 202f as it contains the second write start location 208b.
-22 -Optionally, only the data before the write start location may be verified, as data after the write start location may be overwritten during the subsequent write operation.
If a write operation was commenced but interrupted whist writing to this data storage block 202f, then the data will not match the corresponding block backup data 210b. If an interruption is determined then a data recovery operation may be initiated, as will be discussed later. In the example in Figure 4, the first write operation was completed without loss of power and so no data was lost or corrupted.
The new data is then written to the data storage blocks 202 as a second write operation, starting from the second write start location 208b.
Once all of the new data has been written to the data storage blocks 202, a new, third write start location 208c is determined. The third write start location 208c, in this embodiment, is the memory location immediately following the new data written to the data storage blocks 202.
Next, the content of the data storage block 202 containing the new start location is read as third block backup data 210c. In this example, the data storage block 202 containing the new start location is the eighth data storage block 202h. Then a hash of the third block backup data 210c is performed to generate a third backup verification byte 214c.
The third block backup data 210c and the third backup verification byte 214c, is then written to the first backup buffer 206a, i.e. so as not to overwrite the most recent block backup data (the second block backup data 210b) which is stored in the second backup buffer 206b.
Finally, a hash of the third write start location 208c is performed to generate a third pointer verification byte 212c, and the third write start location 208c and the third pointer verification byte 212c are written to the first pointer buffer 204a, i.e. so as not to overwrite the most recent write start location (the second write start location 208b) which is stored in the second pointer buffer 204b.
Figure 5 shows the state of the memory system 200 after completion of the second write operation. In Figure 5, the content of the pointer buffers 204 and the backup buffers 206 are as follows: * The first pointer buffer 204a contains the third write location 208c and the third pointer verification byte 212c. The third write location 208c is the memory location immediately following the data written to the data storage -23 -blocks 202 during the second write operation, which in this example is a location in the eighth data storage block 202h.
* The first backup buffer 206a contains the third block backup data 210c and the third backup verification byte 214c. The third block backup data 210c corresponds to the contents of the eighth data storage block 202h after the third write operation was completed.
* The second pointer buffer 204b contains the second write location 208b and the second pointer verification byte 212b. The second write location 208b is the memory location immediately following the data written to the data storage blocks 202 during the first write operation, which in this example is a location in the sixth data storage block 202f.
* The second backup buffer 206b contains the second block backup data 210b and the second backup verification byte 214b. The second block backup data 210b corresponds to the contents of the sixth data storage block 202f after the first write operation was completed.
Significantly, the contents of the second pointer buffer 204b and the second backup buffer 206b are identical in Figures 4 and 5. These buffers 204b, 206b will not be changed unless the second (or subsequent) write operation has been successfully completed. This will become apparent from the following examples of attempting to perform a third write operation, but where the second write operation was unsuccessful.
Figures 6 to 8 illustrate potential states of the memory system 200 in the event of a loss of power occurring at different points during the second write operation described above.
In Figure 6, a loss of power occurred whilst writing the third write start location 208c to the first data buffer 204a. That is to say, all of the new data was written to the data storage blocks 202 and the second block backup data 210b was written to the first backup buffer 206a. Consequently, the first pointer buffer 204a contains corrupted data 216a.
The corruption of the data in the first pointer buffer 204 means that the third write start location 210c that was to be written to this location cannot be determined. However, because the first pointer buffer 204a and the second pointer buffer 204b are stored in separate blocks within the memory system 200, the corruption of the first pointer buffer 204a does not interfere with the contents of the second pointer buffer 204b.
-24 -When the memory system 200 commences a third write operation, an assessment is made as to whether the data in either of the first pointer buffer 204a or the second pointer buffer 204b has been corrupted.
This may be performed by comparing the pointer verification bytes 212 in each of the pointer buffers 204 against a hash of the write start location 208b stored in the respective pointer buffer 204. Optionally, there may be additional or alternative tests that can be performed to check the integrity of the data in the pointer buffers 204. For example, the data may be checked for conformity with an expected data structure.
The corrupted data 216a in the first pointer buffer 204a does not contain a correct verification byte. Consequently, the data where the third pointer verification byte 214c should be will not match the hash of the data where the third write start location 208c should be, and the memory system 200 knows that the preceding write operation failed. However, the data in the second pointer buffer 204b has not been corrupted and so the second pointer verification byte 212b will match the hash of the second write start location 208b.
In this case, the data written during the second write operation was correctly written to the data storage bytes 202, but the memory system 200 does not know where new data was written up to. Therefore, further data cannot be written to the data storage blocks 202.
The second write start location 208b is therefore used for the third write operation. This will result in the data written during the second write operation being overwritten. However, the memory system 200 does not need to be reset and only the data from a single write operation is lost.
Optionally, before writing data to the data storage blocks 202 during the third write operation, the first pointer buffer 204a and the first backup buffer 206a may be cleared.
Also optionally, before writing data to the data storage blocks 202 during the third write operation, the memory system 200 may perform a revert process before writing data to the data storage blocks 202 during the third write operation. For example, the second block backup data 210b from the second backup buffer 206b may be written to the sixth data storage block 202f, and optionally clearing any data in the subsequent data storage blocks 202.
At completion of the third write operation, a fourth write start location (and a fourth pointer verification byte) will be written to the first pointer buffer 204a, -25 -optionally so as to overwrite the corrupted data 216a if it was not cleared. Thus, if the fourth write operation is interrupted, the memory system 200 will again be able to recover to the state after completion of the second write operation.
In Figure 7, a loss of power occurred whilst writing the third block backup data 210c to the first backup buffer 206a. That is to say, all of the new data was written to the data storage blocks 202, but because the second write operation was interrupted, no data was written to the first pointer buffer 204a. Consequently, the first backup buffer 206a contains corrupted data 216b and the first pointer buffer 204a still contains the data that was present before the first write operation.
When the memory system 200 commences a third write operation, the pointer buffers 204 are tested for corruption. Depending on how exactly the testing of the pointer buffer 204 is performed, the corrupted data 216b may be detected when checking the data in the pointer buffers 204.
In the present case, the pointer verification byte 212a in the first pointer buffer 204a (which is the first pointer verification byte 212a because the third write operation was interrupted before it was overwritten with the third pointer verification byte 212c) will match the hash of the first write start location 208a in the first pointer buffer 204a, and thus the first pointer buffer 204a will pass the data integrity test. The second pointer buffer 204b will similarly pass the data integrity test.
The memory system 200 will then proceed to determine which of the pointer buffers 204 was written more recently. Because the third write start location 208c was never written to the first pointer buffer 204a, the second pointer buffer 204b containing the second write start location 208b will be more recently written. Consequently, the second write start location 208b would be used for the third write operation. This will result in the data written during the second write operation being overwritten. However, the memory system 200 does not need to be reset and only the data from a single write operation is lost.
Optionally, instead of simply overwriting the data written during the (interrupted) second write operation, the memory system 200 may perform a revert process before writing data to the data storage blocks 202 during the third write operation. For example, the second block backup data 210b from the second backup buffer 206b may be written to the sixth data storage block 202f, and optionally clearing any data in the subsequent data storage blocks 202. Optionally, the first backup buffer 204a and/or the first pointer buffer 206a may also be cleared.
-26 -If this process is to be used, then the interrupting of a previous write operation may be detected by comparing the second block backup data 210b from the second backup buffer 206b against the data storage block 200 containing the second write start location 208b, i.e. the sixth data storage block 202f.
During the third write operation, fourth block backup data (and a fourth verification byte) will be written to the first backup buffer 204a, so as to overwrite the corrupted data 216c if it was not cleared. Thus, if the fourth write operation is interrupted, the memory system 200 will again be able to recover to the state after completion of the second write operation.
In Figure 8, a loss of power occurred whilst writing to the first data storage block 202 accessed during the second write operation, i.e. when writing to the sixth data storage block 202f. Consequently, the sixth data storage block 202f contains corrupted data 216c.
Significantly, the corruption of the data in the sixth data storage block 202f means that part of the data written during the first write operation has also been corrupted. However, because the second write operation was interrupted, no data was written to the pointer buffers 204 or backup buffers 206, and so the first pointer buffer 204a and first backup buffer 206a still contain the data that was present before the first write operation.
When the memory system 200 commences a third write operation, the pointer buffers 204 are tested for integrity. Since neither of the pointer buffers 204 (nor the backup buffers 206) contain corrupted data, the pointer buffers should both pass this test.
Next, the memory system 200 determines which of the pointer buffers was written most recently. In this case, the third write start location 208c was not written to the first pointer buffer 204a because of the interruption of the second write operation. Consequently, the second write start location 208b stored in the second pointer buffer 204b is the most recently written write start location 208.
Finally, when the assessment is made as to whether a data recovery operation is required, the second block backup data 210b is checked against the data in the data storage block 202 containing the second write start location 208b, i.e. the sixth data storage block 202f. In this example, the sixth data storage block 202f contains corrupted data 216a and therefore the data will not match. The memory system 200 therefore determines that the previous write operation was interrupted in a way that has corrupted previous data has been corrupted.
-27 -A data recover operation is then initiated. During this operation, the data from the second buffer 206b may be written into the data storage block 202 containing the second write start location 208b, i.e. the sixth data storage block 202f.
Alternatively, where the corrupted data 216c is detected during a write operation, the write operation may be commenced by loading the second backup block data 210b from the second backup buffer 206b, appending the new data to the second backup block data 210b, and writing to the data storage block 202f containing the second write start location 202f.
For completeness, it is noted that in the event of an interruption whilst writing to a data storage block 202 other than the data storage block 202 containing the second write start location 208b, there will be no need for a data recovery operation because the corrupted data 216c will not have overwritten any of the previously stored data and therefore will simply be overwritten when new data is written to the memory system 200. However, as above, the memory system 200 may perform a revert process.
The memory system 200 described with reference to Figures 3 to 8 is advantageous over the memory system 100 illustrated in Figure 2 for two reasons.
Firstly, it provides protection against an interruption of the write operation whilst writing to a data storage block 202 that contains existing data.
Secondly, it requires only two additional blocks to be written when performing write operations, as compared to the memory system 100 which requires three. This is important in a smartcard 20 because writing to the memory is a relatively power intensive process, meaning that it takes a relatively long time.
It is therefore desirable to minimise the number of blocks of data that must be written.
Whilst preferred embodiments have been described, it will be appreciated that the invention may be practiced in manners different from those set out above.
The above example is described using two pointer buffers 204a, 204b and two backup buffers 206a, 206b. However, it will be readily apparent that the same process could be implemented using a greater number of pointer and/or buffers without significant change.
In a further alternative example, the order of steps may be changed such that the pointer buffer 204 is written before the backup buffer 206. Advantageously, -28 -in this alternative implementation, interruption of the process whilst performing the last write (i.e. writing to the backup buffer 206) resulting in corruption of the data stored in the backup buffer 206 could be rectified by checking the integrity of the backup buffer 206 before performing a write operation, and if necessary writing the necessary block backup data 210 to the respective backup buffer 206 at this stage.
Furthermore, in the above example, the step of writing of block backup data 210 to the backup buffer 206 could be moved from being the last step of a write operation to being the first step of a new write operation. That is to say, the block backup 210 could be stored at the beginning of each write operation, instead of at the end.
Whilst the described embodiment is particularly applicable to a passive, biometrically-authorisable smartcard, the techniques disclosed herein may provide similar advantages when applied to the memory system of any biometricallyauthorisable device that does not have an onboard power supply, such as a battery or super capacitor, as well as other types of device that do not have an onboard power supply. It will of course be appreciated that the techniques described herein may be employed within the memory systems of any biometrically-authorisable devices, i.e. including those having on-board power supplies. Furthermore, it is envisaged that the technique may have utility within a memory system of other devices having a suitable memory system.

Claims (25)

  1. -29 -CLAIMS: 1. A process for writing to a memory system of a biometrically-authorisable device, the memory system comprising a plurality of data storage blocks and four reserved memory locations including a first pointer buffer, a second pointer buffer, a first backup buffer and a second backup buffer, the process comprising: identifying a first write start location from the first pointer buffer; sequentially writing new data to the data storage blocks, starting from the first write start location; writing data from a data storage block containing a second write start location to the second backup buffer, the second write start location being a location immediately after the new data written to the data storage blocks; and writing the second write start location to the second pointer buffer.
  2. 2. A process according to claim 1, further comprising: determining that data in the first pointer buffer was written more recently than data in the second pointer buffer.
  3. 3. A process according to claim 2, further comprising: determining that data in the first pointer buffer has not been corrupted and that data in the second pointer buffer has not been corrupted.
  4. 4. A process according to claim 1, further comprising: determining that data in the second pointer buffer has been corrupted.
  5. 5. A process according to any preceding claim, further comprising: determining that data in a data storage block containing the first write start location is corrupted; and performing a data recovery operation based on backup data stored in the first backup buffer.
  6. 6. A process according to claim 5, wherein after the data recovery operation the data in a data storage block containing the first write start location has been overwritten with the backup data stored in the first backup buffer.
  7. -30 - 7. A process according to any preceding claim, further comprising: writing a verification code to the second backup buffer, the verification code permitting verification of the integrity of data stored in the second backup buffer; and writing a verification code to the second pointer buffer, the verification code permitting verification of the integrity of data stored in the second pointer buffer.
  8. 8. A process according to any preceding claim, wherein each of the reserved memory locations is an independently writable memory location.
  9. 9. A process according to any preceding claim, wherein the first backup buffer contains data from a data storage block containing the first write start location before the new data is written to the data storage blocks
  10. 10. A process according to any preceding claim, wherein the new data comprises a new biometric reference template.
  11. 11. A process according to any preceding claim, further comprising: identifying the second write start location from the second pointer buffer; sequentially writing further new data to the data storage blocks, starting from the second write start location; writing data from a data storage block containing a third write start location to the first backup buffer, the third write start location being a location immediately after the further new data written to the data storage blocks; and writing the third write start location to the first pointer buffer.
  12. 12. A process according to claim 11, wherein the biometrically-authorisable device is powered down between writing the second write start location to the second pointer buffer and identifying the second write start location from the second pointer buffer.
  13. 13. A process for recovering data in a memory system of a biometricallyauthorisable device, the memory system comprising a plurality of data storage blocks, the memory system further comprising four reserved memory locations -31 -including a first pointer buffer, a second pointer buffer, a first backup buffer and a second backup buffer, the process comprising: identifying a first write start location from the first pointer buffer; determining that data in a data storage block containing the first write start location is corrupted; and performing a data recovery operation based on backup data stored in the first backup buffer.
  14. 14. A process according to claim 13, further comprising: determining that data in the first pointer buffer was written more recently than data in the second pointer buffer.
  15. 15. A process according to claim 14, further comprising: determining that data in the first pointer buffer has not been corrupted and that data in the second pointer buffer has not been corrupted.
  16. 16. A process according to claim 13, 14 or 15, wherein after the data recovery operation the data in a data storage block containing the first write start location has been overwritten with the backup data stored in the first backup buffer.
  17. 17. A process according to any of claims 13 to 16, wherein the second pointer register contains a second write start location, and the second backup buffer contains data from a data storage block containing the second write start location.
  18. 18. A computer program product comprising computer readable instructions that when executed will cause a memory system of a biometrically-authorisable device to perform a process according to any of claims 1 to 12 and/or a process according to any of claims 13 to 17.
  19. 19. A biometrically-authorisable device comprising a memory system having a plurality of data storage blocks and four reserved memory locations including a first pointer buffer, a second pointer buffer, a first backup buffer and a second backup buffer, wherein the biometrically-authorisable device is configured to perform a process according to any of claims 1 to 12 and/or a process according to any of claims 13 to 17.-32 -
  20. 20. A biometrically-authorisable device according claim 19, wherein the biometrically-authorisable device comprises an on-board biometric sensor, and wherein the new data comprises a biometric reference template generated from data received from the biometric sensor.
  21. 21. A biometrically-authorisable device according to claim 19 or 20, wherein the biometrically-authorisable device is a smartcard.
  22. 22. A biometrically-authorisable device according to claim 19,20 or 21, wherein the biometrically-authorisable device is a fingerprint-authorisable device.
  23. 23. A process for writing to a memory system of a biometrically-authorisable device, the memory system comprising a plurality of data storage blocks and four reserved memory locations including a first pointer buffer, a second pointer buffer, a first backup buffer and a second backup buffer, the process comprising: identifying a first write start location from the first pointer buffer; writing data from a data storage block containing the first write start location to the first backup buffer; sequentially writing the new data to the data storage blocks, starting from the first write start location; and writing a second write start location to the second pointer buffer, the second write start location being a location immediately after the new data written to the data storage blocks.
  24. 24. A computer program product comprising computer readable instructions that when executed will cause a memory system of a biometrically-authorisable device to perform a process according to claim 23.
  25. 25. A biometrically-authorisable device comprising a memory system having a plurality of data storage blocks and four reserved memory locations including a first pointer buffer, a second pointer buffer, a first backup buffer and a second backup buffer, wherein the biometrically-authorisable device is configured to perform a process according to claim 23.
GB1909754.2A 2019-07-08 2019-07-08 Robust data storage algorithm Withdrawn GB2585641A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1909754.2A GB2585641A (en) 2019-07-08 2019-07-08 Robust data storage algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1909754.2A GB2585641A (en) 2019-07-08 2019-07-08 Robust data storage algorithm

Publications (2)

Publication Number Publication Date
GB201909754D0 GB201909754D0 (en) 2019-08-21
GB2585641A true GB2585641A (en) 2021-01-20

Family

ID=67623336

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1909754.2A Withdrawn GB2585641A (en) 2019-07-08 2019-07-08 Robust data storage algorithm

Country Status (1)

Country Link
GB (1) GB2585641A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110055625A1 (en) * 2009-08-28 2011-03-03 Toshiyuki Honda Nonvolatile memory device and memory controller
CN102541690A (en) * 2011-12-23 2012-07-04 北京握奇数据系统有限公司 Intelligent card and method for recovering data
US8276816B2 (en) * 2007-12-14 2012-10-02 Validity Sensors, Inc. Smart card system with ergonomic fingerprint sensor and method of using
WO2013160011A1 (en) 2012-04-24 2013-10-31 Zwipe As Method of manufacturing an electronic card
FR3053810A1 (en) * 2016-07-05 2018-01-12 Inside Secure TRANSACTION METHOD COMPRISING DATA WRITING OPERATIONS IN A NON-VOLATILE MEMORY

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8276816B2 (en) * 2007-12-14 2012-10-02 Validity Sensors, Inc. Smart card system with ergonomic fingerprint sensor and method of using
US20110055625A1 (en) * 2009-08-28 2011-03-03 Toshiyuki Honda Nonvolatile memory device and memory controller
CN102541690A (en) * 2011-12-23 2012-07-04 北京握奇数据系统有限公司 Intelligent card and method for recovering data
WO2013160011A1 (en) 2012-04-24 2013-10-31 Zwipe As Method of manufacturing an electronic card
FR3053810A1 (en) * 2016-07-05 2018-01-12 Inside Secure TRANSACTION METHOD COMPRISING DATA WRITING OPERATIONS IN A NON-VOLATILE MEMORY

Also Published As

Publication number Publication date
GB201909754D0 (en) 2019-08-21

Similar Documents

Publication Publication Date Title
KR100343377B1 (en) Data writing to non-volatile memory
US8595826B2 (en) Portable electronic device and control method thereof
US8253531B2 (en) On chip verification and consequent enablement of card OS operation in smart cards
US7469837B2 (en) Storage device
CA2148145C (en) Passive transponder
US8286874B2 (en) Card and host device
US9418224B2 (en) Portable electronic device and control method of portable electronic device
US20170323166A1 (en) Smartcard and method for controlling a smartcard
RU2254608C2 (en) Method for protecting program execution process
EP1082710A1 (en) Preloaded ic-card and method for authenticating the same
JP2746801B2 (en) IC card and password verification method for IC card
JPH10240873A (en) Ic card
EP1109129A2 (en) IC card with self-diagnostic function
WO2018047949A1 (en) Portable electronic device
GB2585641A (en) Robust data storage algorithm
US20110227708A1 (en) Portable electronic device, communication device, and command processing method
US6811089B2 (en) Portable electronic medium issuing system and issuing method and portable electronic medium
US7730115B2 (en) System, microcontroller and methods thereof
JP4665467B2 (en) Authentication apparatus and method
EP3379424B1 (en) Ic card, portable electronic device, program, processing apparatus, and processing system
US9659425B2 (en) Electronic key for authentication
JP2000322535A (en) Information processing method and system for ic card
KR101660180B1 (en) Ic card, portable electronic apparatus, and ic card processing apparatus
JP7400528B2 (en) IC card with self-diagnosis function and IC card self-diagnosis method
JP7420130B2 (en) Electronic information storage medium, IC card, processing method, and program

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)