MXPA99002040A - System for preventing electronic memory tampering - Google Patents

Abstract

Methods and apparatus for preventing tampering with memory in an electronic device, such as a cellular telephone, are disclosed. An electronic device having a memory and a processing means contains logic that is used to perform a one-way hash calculation on the device's memory contents whereby an audit hash value, or signature, of such contents is derived. The audit hash value si compared to an authenticated valid hash value derived from authentic memory contents. A difference between the audit and valid hash values can be indicative of memory tampering. In accordance with another aspect of the invention, electronic device memory contents can be updated by a data transfer device that is authenticated before being permitted access to the memory contents. Data transfer device authentication involves the use of a public/private key encryption scheme. When the data transfer device interfaces with an electronic device and requests memory access, a process to authenticate the data transfer device is initiated.

Description

SYSTEM FOR AVOIDING UNAUTHORIZED HANDLING OF ELECTRONIC MEMORY BACKGROUND OF THE INVENTION The invention relates to a system for avoiding the manipulation of an electronic memory, and particularly to methods and apparatus for preventing the unauthorized manipulation of memory contents desirably protected in a Electronic device. The invention presented herein refers to an electronic device whose memory content must be maintained in a protected or preferably unaltered state. Such a requirement may be necessary for security reasons, such as, for example, to prevent fraudulent manipulation of a cell phone memory, or to maintain the integrity of electronic device operation in critical applications such as, for example, control of a plane or the operation of a medical instrument. As presented and described herein, exemplary aspects of the invention are presented in the context of a system and method for protecting one or more electronic memories within a cell phone. It also describes a system that allows access to one or more electronic memories in an electronic device and the manipulation of one or more electronic memos in an electronic device through the use of a data transfer device subjected to an authentication process before to be able to access an electronic memory. The latter system is also described in the context of a cell phone application. Although the exemplary embodiments of the invention presented herein are described in the context of a protected cellular telephony memory and a device for securely accessing and altering the memory content in a cellular phone, those skilled in the art readily observed what Systems in accordance with the present invention can be applied to any electronic system having one or more memories whose contents must remain unchanged or whose memories must only be accessed by authorized means. Accordingly, the scope of the present invention is not limited to the exemplary embodiments presented herein but the only limitation is set forth in the appended claims and equivalents thereto. In the United States of America, losses due to cell phone fraud are estimated at $ 600 million in 1995. In response to this situation, service providers, the Federal Communications Commissions (FCC) and Industrial groups have been investigating various techniques to combat such fraud. A majority of cell phone fraud in the United States of America includes some form of memory manipulation in order to alter an electronic serial number (ESN) of the cell phone that a cell phone must provide to establish a communication. Therefore, a fraud prevention technique, under consideration as a regulation established by the FCC, is to ask cell phone manufacturers to manufacture all the microprocessor codes and the ESN in such a way that they can not be altered. In the following, background information on basic cellular communications is provided in order to help illustrate the cellular telecommunications operating environment and problems associated with which the systems embodying the present invention are focused. In Figure 1 a simplified diagram of a cellular communications system is presented. The mobile telephones M1-M10 communicate with a fixed part of a public network of switched lines by transmitting radio signals to base cellular stations B1-B10 and by receiving radio signals from said base cellular stations B1-B10. The cellular base stations B1-B10 are, in turn, connected to the public network of switched lines through a Mobile Switching Center (MSC). Each base station B1-B10 transmits signals within a corresponding area. or "cell" Cl-ClO. As illustrated in Figure 1, in an idealized arrangement of base stations, the base stations are organized in such a way that the cells substantially cover an area in which communication with mobile telephony usually occurs (eg, a metropolitan area). ), with a minimum amount of overshoot. When a user activates a mobile telephone within a cell, the mobile telephone transmits a signal indicating the presence of the mobile telephone to the base station of the cell. The mobile telephone transmits the signal, which may include its ESN, in a designated preparation channel continuously monitored by each base station. When the base station receives the signal from the mobile phone, it registers the presence of the mobile phone inside the cell. This process can be repeated periodically in such a way that the mobile phone is properly registered in the case in which it moves to another cell. When a mobile phone number is dialed, a central office of a telephone company recognizes the number as a mobile phone and passes the call to the MSC. The MSC sends a location message to certain base stations based on the dialed mobile telephone number and the current registration information. One or more of the base stations transmits a location message in their preparation channel. The dialed mobile phone recognizes its identification in the preparation channel and responds to the location message of the base station. The mobile phone also follows the instruction to tune to an assigned voice channel and then initiates call sumbido. When a mobile user ends a communication, a signaling tone is transmitted to the base station, and both parties release the voice channel. In the above-described operation, mobile telephones are not permanently connected to a fixed network but communicate on the contrary through what is known as an "air interface" with a base station. Obviously this provides the flexibility of cellular communication systems, since a user can easily transport a mobile phone without the restriction of being physically attached to a communication system. However, this same feature creates. also problems regarding the protection of information transmitted in cellular telephone systems. For example, in ordinary wired telephony systems, a central office can identify a particular subscriber to bill the use of a telephone through the communication line to which it is physically linked. Thus, fraudulent use of a subscriber's account typically requires the development of a physical connection to the subscriber's line. For the alleged fraudulent user this represents a risk of being discovered. The cellular telecommunication systems, on the other hand, do not present said connection problem to the alleged fraudulent user since these systems communicate in an air interface. Without protection schemes, fraudulent users can use the account of another subscriber by accessing the subscriber's electronic serial number (ESN) that is transmitted by the mobile phone to the network several times to establish and maintain a communication. When establishing a standard cellular connection, two identification codes are transmitted by a mobile phone to the system. These two identification codes are the Mobile Identification Number (MIN) and the ESN. The MIN identifies a subscriber, while the ESN identifies the actual equipment that the subscriber is using. Therefore, it is expected that the MIN that corresponds to a particular ESN can, due to the fact that the subscribers acquire new equipment, change over time. The MIN is a 34-bit binary number derived from a 10-digit directory phone number, while the ESN is a 32-bit binary number that uniquely identifies a mobile phone. The ESN is typically established by the mobile phone manufacturer. A conventional authentication method used to establish a communication, for example, the Advanced Mobile Phone System (AMPS), is illustrated by the flow chart presented in Figure 2. In accordance with this method, a base station receives both an ESN and an MIN from the mobile telephone in block 200. These identification codes are called ESNm and MINm to indicate that they are received from the mobile telephone. Then, in block 202, the base station retrieves an ESNsys corresponding to MINm from the system memory. ESNsys is then compared with ESNm in block 204. If the two serial numbers are the same, the flow passes to block 206 and access to the system is allowed. Otherwise, access to the system is denied in block 208. One drawback of this system is that it is relatively simple for a fraudulent user to combine valid MIN / ESN combinations by listening on the air interface or from other sources. Since the accesses in accordance with this conventional system are considered valid, if the MIN and the ESN received from the mobile phone correspond to those stored in the system memory.

All the necessary information for a fraudulent access can be obtained through electronic listening. In systems that operate in accordance with the European Standard GSM (Global System for Mobile Communication), the American Standard TIA / EIA / IS-136 and the radio communication systems in accordance with the Japanese Personal Digital Standard Cellular (Personal Digital Cellular Standard), the fraud that results from listening is avoided through the use of a response method. In accordance with the challenge-response method, each mobile phone is associated with a unique secret key stored both in the mobile phone and in a database on the network. An algorithm that is unique to the system is stored in each mobile phone and in desired network nodes. When a call is established, authentication is requested so the network sends a challenge (random number) to the mobile phone. Based on the challenge received and the secret key stored, the mobile phone calculates a response using the algorithm and transmits the response to the network. Simultaneously, the network calculates an "expected" response based on the same challenge and secret key stored by the network. The network then receives the calculated response from the mobile phone and compares the response calculated by the mobile telephone with the response calculated by the network. If there is a discrepancy, appropriate actions are carried out, for example, access is denied or a warning indication is established. A method for carrying out an authentication verification between a base station and a mobile telephone in a mobile radio system is presented in U.S. Patent No. 5,282,250 to P. Dent et al. In a conventional analog system, such as AMPS, most frauds are carried out by fraudulent users who "clone" valid subscribers by acquiring valid MIN / ESN pairs and using the pairs to reprogram a cell phone . In more sophisticated cloning arrangements, a cell phone software is reprogrammed in such a way that it can use several MIN / ESN pairs in a practice called "laps". A cell phone program with a loop routine randomly checks the MIN / ESN pairs and selects a MIN / ESN pair to initiate a call. When the fraud is identified by the service provider or subscriber, the MIN / ESN pairs are invalidated. When an invalid MIN / ESN pair is found when trying to make a call, the lap routine simply cancels this MIN / ESN pair and keeps searching until a valid MIN / ESN pair is found. After the invalidation of all the MIN / ESN pairs programmed into the cell phone, the telephone user typically returns to the donor so that a new set of MIN / ESN pairs is programmed into the cell phone. Most cellular fraud involves a certain degree of memory manipulation. This is described with reference to Figure 3 which shows a block diagram of a conventional cellular phone memory and a processor array. A control 300 communicates with a ROM or program flash memory 320, an EEPROM 310, and a random access memory (RAM) 330, using a memory connector 308. The memory of the program 320 is a read / write memory no. Volatile that is used to store most of the code used for the general operation of the cell phone. The EEF'ROM 310 is used to store the pair MIN / ESN 314 and 316, and the user profile information 312 (for example, speed dial numbers) and the RAM is used as read / write memory. It is known that the donors monitor the transfer of messages between the memories and the controller 300 to obtain information that is used to avoid or modify information stored in the flash memory 320 or the EEPROM 310. The most common method of telephone fraud has been the illegitimate use of test commands; These commands are intended for telephone service and repair, to change the ESN. However, the most recently produced phones are resistant to this alteration and have effectively eliminated this form of attack. Consequently, donors have resorted to more sophisticated modes of attack. One technique they employ includes the removal of the original EEPROM 310 that contains the ESN 314 and its replacement. After its removal, the EEPROM is studied to decipher its content. The deciphered content is then used to program a replacement EEPROM with an ESN / MIN pair fraudulently appropriate from a valid user account. This technique may be attractive to the donor if that donor wishes to only change one ESN at a time. But the technique requires a lot of work and trained paco donors can damage printed circuits if they do not take extreme precautions. A major step in the sophistication of cloning includes the analysis of a telephone microprocessor program code and the rewriting of one or more sections of the code to transmit a fraudulent identity (ESN / MIN pair) to a base station cell phone. This often includes reverse engineering portions of the telephone equipment design, and requires a significant understanding of the integrated software design. However, the obvious advantage of this method is that once the modification is completed, the phone can be reprogrammed with a new identity as frequently as desired. The most sophisticated attacks combine alterations of the cell phone's microprocessor code in accordance with what has been described above, in combination with a modification of the equipment. An example of this technique employs what is known as "shadow memory" to avoid detection by conventional memory validation routines that run only during the boot process when the cell phone is turned on. The boot process is carried out in accordance with a small part of a boot code 304 contained in the controller 300 (see Figure 3). The boot process configures the cell phone into a condition in service and establishes a program counter on the microprocessor 301 at an appropriate location on the flash memory 320. When the process is finished, the controller 300 can illuminate an LED 318 (or signal equivalent) that tells a user that the phone is in service. A donor may monitor a connection 306 between the controller 300 and the LED 318 to intervene in the execution of a normal operation code in the flash memory 320 as will be described in more detail below. The flash memory 320 contained in a typical modern cell phone has an addressable capacity of 512K. A donor may remove the flash memory 320 and replace it with a shadow memory 322 of 1,024K after copying the contents of the original flash memory 320 into the first 512K of shadow memory 322 of 1024K. During startup, access to the program memory is successfully directed in the first 512K of the flash memory 320. The donor can then monitor a signal available in the telephone which indicates that the boot process has ended (such as the LED signal 306) for the purpose of switching all future program memory accesses to the shadow memory 322. Thereafter, the cellular telephone operates in accordance with the instructions found in the shadow memory 322 said memory can be programmed to contain a memory code. turn routine and corresponding MIN / ESN pairs. Since most cellular fraud is based on some degree of memory manipulation, the Federal Communications Commission (FCC) is currently considering a solution focused on that aspect of cell phone fraud. The solution is incorporated in a proposed FCC rule designated i 22,219. As it is currently drafted, rule § 22.919 prohibits the alteration of a mobile phone operation software; requires that an ESN be established in the factory and can not be altered, transferred, removed or manipulated in any way; and it requires that the mobile transmitter becomes inoperable if any of the parties, including a manufacturer, tries to remove, alter or change the ESN, the system logic, or firmware of the cell phone. From a consumer's perspective, the current ability of a manufacturer or its authorized representatives to program cell phones makes it easy to replace cell phones that are not operating properly. For example, if a subscriber's cell phone is not operating correctly, the subscriber can obtain a new unit from an authorized factory representative and have it programmed to contain the same electronic "personality" of the previous unit. The electronic personality of a cell phone includes not only the ESN, but also the user's profile, and a substantial amount of information programmed into the unit by the subscriber such as a personal and / or business telephone number. Repair / replacement programs as well as the technology to make quick and easy changes of ESN and other memory changes to cell phones have been developed with the insistence of cellular service providers that do not want their subscribers to have problems due to defective terminals . According to FCC § 22.919, a subscriber in the situation described above may obtain a new mobile unit if his previous unit is defective. However, since a new fixed ESN will be associated with the new unit, the new ESN information will have to be communicated to the cellular server that will have to program it in its database. This can result in a long period of time during which the subscriber will be without service. The subscriber will also have to reprogram his cell phone with personal or business phone numbers. A much more important problem with §22.919 is the negative impact it will have on the ability of cellular service providers to offer their subscribers system updates through programming or reprogramming of their cell phones. The practical impact that §22.919 can have on the ability of the cellular industry to update systems is demonstrated in the following way. The use of a digital control channel in accordance with what is specified, for example, in the TIA / EIA / IS-136 standard, allows cellular servers to offer new extended services, such as short message delivery services. If the servers, manufacturers or authorized agents can make changes to the software and / or the firmware of a cell phone, said services will be available to the subscribers quickly and efficiently through software updates of the terminals. According to § 22.919 (in its current form), neither the manufacturer nor the service representative authorized by the manufacturer nor a cellular server can make these changes to the software. The only way a server can offer a subscriber a system upgrade will require the subscriber to purchase a new cell phone. In order to improve the impact of § 22.919 on subscribers as well as on the manufacturing community, the FCC established that the rule would apply to cell phones for which initial type acceptance requests were submitted after January 1. of 1995. In fact, the FCC has supported the 20 million cell phones currently in operation, as well as the millions of cell phones put into service after January 1, 1995, based on applications for type acceptance filed before day 1 January 1995. The fact that there are so many cell units already on the market whose electronic information can be manipulated for illegal purposes suggests that § 22.919 will have little impact on the problem of fraud. Entities that commit fraud through the illegal alteration of ESNs can continue to do so using the millions of terminals not subject to the restrictions of article 22.919. As can be seen from the above, the provision of a cell phone that has a more secure memory is highly desirable. At the moment there do not seem to be solutions to retrofit cell phones to make them resistant to alteration. Furthermore, there do not appear to be methods or apparatus for providing updates to memories of electronic devices in such a way that only authorized access is assured. COMPENDIUM OF THE INVENTION These and other drawbacks without limitations of conventional methods and proposed solutions to avoid the alteration of the memory of cellular telephones, and the alteration of electronic memory in general terms, are overcome by the present invention whose exemplary modalities protect the contents of electronic memory against unauthorized access and manipulation. In accordance with one aspect of the invention, security is achieved by periodically checking the contents of electronic memory in an electronic device in order to ensure that the contents have not been altered. The verification includes performing a partial calculation on selected contents of the electronic memory to derive a partial verification value, or verification signature, of said contents. The verification partial value is compared to a previously valid partial value derived from the authentic contents of the memory. The partial verification value is stored in an encoded form in an electronic memory in advance and is decased only for comparison purposes. A discrepancy between the partial verification value and the valid partial value may indicate an alteration of the memory, so that an electronic device containing the electronic memory may become inactive, or a warning indication may be presented. According to another aspect of the invention, electronic memory contents such as those contained in a cell phone memory (including the cell phone ESN) can be updated by an authenticated data transfer device before it is allowed access to the contents of memory. The authentication of the data transfer device includes the use of a public / private key authentication scheme. When the data transfer device interconnects with the electronic device and requests access, the electronic device initiates a process to authenticate the data transfer device. This may include the exchange of a series of messages between the electronic device and the data transfer device. A public key is maintained within the electronic device that is used to decode a coded message, or "signed" with a secret private key maintained within the data transfer device. More particularly, when the data transfer device requires the programming of an electronic device, an authentication process is initiated. The electronic device responds by sending a challenge message back to the data transfer device. The challenge message is signed with a digital signature using the private key stored in the data transfer device. The signed challenge message is sent back to the electronic device which authenticates it using the public key. Once authenticated, the data transfer device receives authorization to access privileged commands and privileged capabilities in the electronic device. After a reprogramming of an electronic memory, the electronic device performs a partial calculation to derive a new partial value (valid) in the contents of the modified memory. The new partial value is returned to the data transfer device for a digital signature by the private key. The new signed partial value is returned to the electronic device for storage. When the electronic device carries out a subsequent memory check, the resulting partial verification value is compared with the new valid partial value. BRIEF DESCRIPTION OF THE DRAWINGS The above and other objects, features and advantages of the present invention will be more readily understood upon reading this description in combination with the drawings, wherein: Figure 1 represents an idealized diagram of a cellular communication system; Figure 2 represents a flow chart illustrating a conventional method of cellular authentication to establish a cellular call; Figure 3 shows a conventional cell phone processor and a conventional memory array; Figure 4 shows a cell phone processor and a memory array in accordance with an exemplary embodiment of the present invention; Figure 5 shows a flow chart illustrating a cell phone boot process in accordance with one embodiment of the invention; Figure 6 shows a flow diagram illustrating an exemplary periodic memory validation process according to the invention; Figure 7 shows an exemplary data transfer device in accordance with one embodiment of the invention; Figure 8 shows a flow chart illustrating an exemplary process for authenticating the data transfer device in accordance with an embodiment of the invention; Figure 9 shows a flow chart illustrating an exemplary process for registering an initial ESN in a cellular memory in accordance with one embodiment of the invention: Figure 10 shows a flowchart illustrating an exemplary process for repramming an established ESN of according to the invention; Figure 11 shows a protected memory array in accordance with an exemplary embodiment of the invention; and Figure 12 shows an exemplary cell phone pragrammer in accordance with one embodiment of the invention. DETAILED DESCRIPTION OF THE INVENTION An exemplary electronic memory is presented which includes apparatuses and methods in accordance with the present invention, below in the context of a pal ication on a cellular phone. The examples described below are provided simply to illustrate an ideal application embodying the invention. With reference to Figure 4, a controller 400 controls the operation of a cellular phone (see, for example, reference 1204 in Figure 12). The controller 400 operates in combination with a flash program memory 420, a programmable read-only, erasable electronic memory (EEPROM) 410, and a random access memory (RAM) 408. The cantroladsr 400 includes a microprocessor 402 and an internal memory read-only (IR0M) 403. The IR0M 40"i has a start code 402, a partial code 405, a code of authentication 4, and a public code key 406, the control 400 contains also a protected static random access memory (PSRAM) 407, an interlock controller 421, and equipment-based crotters 401 to initiate periodic partial calculations by the microprocessor 402 in selected memory content.The EEPROM 410 includes profile data of user 412, an ESN 414 a MIN 416, a par 418 of partial values *, signed / unsigned aliases, a code of instruction involved with the general operation of the telephone cel? lsr is encu it enters flash memory program 420. RAM 40S is used as a note pad for operations that part of the normal processing of a cell phone call.

Operations including sensitive data, partial value calculations and authentication processes are preferably carried out in combination with the PSRAM 407. The controller 400 communicates with the flash program memory 420, the RAM 408 and the EPROM 410 through a memory connector 424. A process for activating the telephone and memory validation for the system depicted in FIG. 4, in accordance with an exemplary embodiment of the invention, is illustrated in FIG. 5. After activating the cellular telephone the Start 404 within the TR0M 403 is executed by the crocier 402 for the purpose of initializing the controller ("block 500.) A partialization code 405 contained in the IROM 403 is then performed to perform a partial value calculation. of verification on the selected contents of the program memory, flash 420 and the ESN 414 value stored in the EPROM 410 (block 502.) The authenticator then authenticates the pair 418 valid partial value signature stored in EEPROM 410 (block 504). This can include authentication of the valid partial value signed by processing it with a public key 406 and then comparing the result with the partial value signed n. The authenticated partial value is then stored in a PSRAM 407 (block 506). The partial verification value derived in block 502 is then compared with the authenticated partial value derived in block 504 (block 508). If the two partial values correspond, a microprocessor program counter is placed in an appropriate location in the flash memory 420, and the periodic partial value calculation process (block 510) is allowed, after which the cell phone begins its normal operation (block 512). If the partial values do not correspond in block 508, the system is placed in an infinite loop (block 514), or else it is deactivated in another way. The above process prevents a donor from replacing either a modified program in a flash memory or a modified ESN in EEPROM 410, since doing so would cause a discrepancy between partial values, making the phone inoperable. To prevent the replacement of a shadow memory 422 with the valid flash memory 420 after the start of a normal operation, it is preferable to carry out periodic partial value processing. During the normal operation of the telephone, the calculation of. Partial periodic valar is carried out in response to the expiration of a timekeeper or in response to other system events. In the exemplary embodiment illustrated in Figure 4, a partial periodic calculation is initiated in response to the expiration of a timekeeper 401 based on equipment that causes the generation of an interruption na in ascarable (NMI). An NMI is a device-oriented interruption that can not be "masked" by software processes. Therefore, a donor can not configure a shadow code designed to ignore an NMI. A regular interruption is also a disruption of equipment that must compete with other regular interruptions from normal cell phone events to achieve microprocessor resource access. A regular interrupt is recognized and processed when the higher priority interrupt request service becomes. Since a full calculation of partial value may take longer than is tolerable in a normal telephony operation, it is preferable to offer a capability to carry out the process on a basis in parts in several segments spread out over a period of time, (e.g. , some seconds). In accordance with another aspect of a preferred embodiment, equipment-based timekeepers causing a two-step process to perform a segment of the partial value calculation. First a non-maskable interrupt (NMI) causes the microprocessor to immediately recover the contents The following flash memory or EPROM memory location is programmed for inclusion in the partial periodic calculation and stored in PSRAM. The NMI is preferably a short interruption variety of higher priority that causes negligible effect on the microprocessor tasks that may be active when NMI occurs. This ensures that the cloned software can not take any action to avoid detection by partial calculation. A second interruption of the lower priority standard is also generated by the timekeepers based on equipment 401 that requires service to terminate the current segment of the partial value calculation based on the memory byte previously captured by the NMI routine. This action may be postponed, as required for normal call processing tasks, for a predefined maximum time (T) before the equipment timekeeper expires and deactivates the telephone. The maximum time (T) is chosen to be adequate to complete the processing of a legitimate call, to be able to complete the partial calculation segment, and to be able to restart the equipment timekeeper at the beginning of its countdown cycle before its expiration . The strategy of using two types of interrupts to periodically complete a segment of the partial value calculation avoids the degradation of the system response while ensuring that security verification by the cloned software found in the flash memory can not be avoided. shadow. A flowchart showing an exemplary periodic partial value calculation process in accordance with the present invention is illustrated in Figure 6. With reference to the figure, both an NMI and a regular interruption are generated in block 604 when the IT counter in the 40I equipment timekeeper comes to an end (block 602). Once the NMI achieves control of the microprocessor (block 604), the system either deactivates or forms regular interruptions online for a short period of time during which the next byte in the flash memory is copied into PSRAM (block 606). good EPROM memory required for partial calculation. The control then returns to the task it was executing when NMI occurred (block 608). Under normal conditions, within a short period of time.

The normal interrupt from the 401-based timekeeper is also serviced (block 610 * and a partial calculation segment is completed based on the memory byte previously stored in PSRAM (block 616). Once completed, the team-based timekeepers (TI &T < 401 reinitialize to their initial values, block 624) and the normal telephone operation proceed (block 600) until the new TI timer expires. expires (block 612) before the regular interruption (block 610) the telephone is disabled (block 614) E3 expiration by default of timer T2 (unless the regular interruption has been correctly) prevents a cloning from disabling the periodic calculation This partial periodic calculation of the verification value continues until the partial verification value calculation is completed (block 618). The previously authenticated value is then collected from PSRAM and compared to the partial verification value (block 620). If there is a match, the timekeepers based on device 401 (block 624) are reset and the phone continues to operate normally (block 600). If there is a lack of correspondence, the system is deactivated (block 622), for example by placing the micri processor 402) in a stop condition.

The_? Selected contents of the cell phone memory on it? which partial calculation is carried out preferably include contents of the flash memory 420 and the ESN within the EEPROM 414. This prevents a donor from physically removing or modifying either the flash memory or the EEPROM and replacing them with a reprogrammed device that contains a modified ESN and / or a modified program code designed to defraud the cellular server. Preferably, the contents of the selected memory and the partial value calculation used, make the telephone inoperable with the modification of even a single bit of memory included in the partial value calculation. In accordance with another aspect of the invention, a cellular telephone can be programmed safely using a data transfer device. An exemplary data transfer device in accordance with the present invention is illustrated in FIG. 7. The reference numbers of the controller 400, its contents, and the related memories are identical to the figure references of FIG. 4. The device 750 of exemplary data transfer includes a secure microprocessor 752 that contains a private encryption key 754 corresponding to a public encryption key 406 in the IR0M 403 in the 400 controller. The secure micro-processor 7 communicates with the cellular telephone controller 400 to through an interphase 758. The mterf "758 can be a wired serial link, such as an R5-232 link, a wireless infrared interface, or an RF interface, such as the main antenna of a cell phone (not shown), or another antenna inside the cell phone Access to the cell phone memory by the data transfer device 150 only after determining a rigorous authentication process more specifically, the controller 400 (and related memory components) can be accessed for the purpose of downloading data only after the data transfer device 150 has gone through a retrieval process. response in order to ensure its authenticity. Figure 8 illustrates an exemplary process for authenticating the data transfer device 150 in accordance with the present invention and which is an exemplary embodiment of said invention. In a first step (block 800), the telephone is brought into an operating condition using preferably the fraud prevention process previously described in relation to figure 5. After the establishment of an interface, the protected processor 752 sends a message of programming request to controller 400 together with a random number (Pandl) generated by protected microprocessor 752 (block 802). In response, the 3 The controller sends a random number challenge code (RandT) to the protected microprocessor 752 (block 804). The secure microprocessor 752 then generates a response to the challenge based on Pandl, Rand2 and private key 754 (blake 806). The response to the challenge is then returned to the controller 4 < "> 0 (block 808) The response to the challenge is processed by controller 400 using Randl, Rand2, and public key 406 (block 410) The response to the processed challenge is then authenticated by comparing its value with Pand2 (block 812) If the response to the challenge is correctly decoded (eg, Rand2), the authenticity of the data transfer device is checked and the telephone enters a programming mode (block 814). data 750 can access the various memories in the cell phone and / or download new flash memory content 420. If the response to the challenge is not valid, a failure count is increased (block 816.) The fault count is verified to determine if a predetermined number (maxcount) has been reached (block 818) Fault counting takes into consideration that the data transfer device 750 may be communicating with the controller 400 in a medium noisy Any resulting transmission error may result in an authentication failure. Accordingly, it is preferable to provide the data transfer device 750 ma- an opportunity to put the cellular telephone into a programming mode. In an exemplary embodiment of the invention, it was determined that a maximum predetermined number of 50 was. suitable. If the predetermined number has not been reached, a message is sent to the data transfer device 75 < "'indicating that an authentication failure has occurred (block 822.) Upon receipt of said indication, the authentication process is reanalyzed in block 802. If the predetermined number of attempts has been reached, the telephone is placed in an inoperable condition and a message may be displayed indicating a user that the telephone must be returned for authorized service After the data transfer device 750 has completed an ESN repragram or the download into the flash memory 420, the controller 400 within the telephone a new partial calculation including, for example, the revised contents of the flash memory 420 and the ESN 414 is initiated. The resulting partial value is sent to the data transfer device 750 for a digital signature using the private key 754. The partial value The signed document is then returned to controller 400 for storage in EEPROM 410, together with an unsigned version of the same partial value. to be reprammed in accordance with the invention, but by safety cups, the ESN programming is preferably carried out at the factory level, > not by representatives authorized by the factory. The programming of an ESN can occur in two situations: the initial ESN programming during manufacturing and the reprogramming of an existing ESN. An initial ESN can be programmed using a data transfer device similar to the device of Figure 7. The initial ESN programming process is described below with l '"> relationship to figure <?. In a first step block 900), the telephone enters an operating condition (see Figure 5) After establishing an interface with the telephone, the protected processor 752 sends a message requesting programming from ESN to control 400 along with a random number (Randl) (block 902). The controller 400 carries out a check to determine if the ESN inside the telephone is in zeros which is always the case when it is a newly manufactured telephone (block 904). If the 0 ESN na is completely zeroed, the request for ESN programming mode is denied (block 906). If the ESN is completely zeros, a response process substantially similar to the response process indicated in steps 804 to 820 of FIG. 8 is initiated (see block 5 08). After a successful authentication of the transfer device 750, a new ESN can be downloaded to the EEPPOM 410. After the data transfer device 750 has finished downloading the ESN in the EEPROM 410, the controller 400 starts a new partial calculation which includes the new ESN 414. The resulting partial value is sent to the data transfer device 750 for a digital signature using the private key 754. The signed partial value 418 is then returned to the controller 400 for storage in the EEPROM 410 together with the signed version of the same partial value. An existing ESN can also be re-programmed into a system embodying the present invention. The ESN repramming process is preferably carried out only at the factory level and not by local representatives authorized by the factory. Additional security is provided through the use of a set of microprocessor instructions, available only at the factory level, that are loaded into a telephone for the purpose of changing an ESN previously programmed into the telephone. The process can be carried out using a data transfer device similar to that illustrated in Figure 7 and described below with reference to Figure 10. In a first step (block 1000), the telephone is placed in a mode of regular programming in accordance with the process illustrated in Figure 8. A factory data transfer device 750 contains a re-programming code of ESN 756 that can be downloaded into the PSRAM 407 memory of the cell phone in order to facilitate re-programming. of ESN. After having placed the system in programming mode, the reprogramming code of ESN 756 is downloaded to PSRAM 407 (block 1002). When executing the reprogramming code of ESN 756, control 400 places the existing ESN (block) in zeros 1004) and start the ESN reprogramming process (block 1006). After the data transfer device 750 has completed the registration of the new ESN in the EEPROM 420, the controller 400 starts a new partial calculation including the new ESN 414 (block 1008). The resulting partial value is sent to the data transfer device 750 for a digital signature using the private key 754 (block 1010). The signed partial value 418 is then returned to the controller 400 for storage in the EEPROM 400 together with the unsigned version of the same partial value (block 1012). A calculation of paracial value and digital signature in exemplary embodiments of the present invention are carried out using functions of partial one-way calculation and a primate / public key authentication scheme. A one-way partial calculation function is used to derive the partial value representative of the content of the memory within the cellular telephone. The system * of public / private key is used to provide security for the valid partial value stored in EEPPOM and authenticates a data transfer device or programmer that tries to manipulate the memory in the cell phone. A partial calculation of one way is known by the experts in the. It is described and described, for example, in US Pat. No. 5,343, S2"7, de More. A partial calculation function of a track is a simple function to calculate in a forward direction, but difficult to calculate in a straight line. reverse direction A one-way partial calculation function, H (M), operates on an input of arbitrary length, M, which in exemplary embodiments of the present invention consists of selected contents of electronic memory. end in M returns a partial value of fixed length, H (see equation 1.) h = H (M) equation 1 There are many functions that can take an input of arbitrary length and return an output of fixed length, but the functions of Partialization of a path has the following additional characteristics: given M, it is easy to calculate h: given h, it is difficult to calculate M, and given M it is difficult to find another message, M '"such that H (M = H ( ' ) . He The basic attack against a one-way partition is: given the partial value of the memory entry (biased contents), a donor seeks to create another set of memory content, M ', such that H (M) = H (M '). If the donor is successful, it can affect the security of the one-way partialization function. The object of the partialization of a path is to offer a unique signature, or fingerprint of. In the present invention, a partialization function of a protected vxa is carried out on selected hosts of a cell phone memory in order to produce a partial verification value. The partial verification value is compared to a valid partial value previously produced by performing the one-way partialization function in the selected memory content of the authentic memory. In a preferred embodiment, a message digest algorithm, such as MDS, is used for the partial protected calculation of a channel. The MDS algorithm produces a partiality of Nbits, or message compilation, of the input message (that is, the selected contents of memory). The MDS algorithm is very sensitive insofar as a change in a single bit in the selected content results statistically in the change of half of the partial value bits. The MDS algorithm is also known for its speed and simplicity. Speed is an important factor in that the time requirements for the cell phone processor can not be so large as to interfere unacceptably with the ordinary processes of the system. The MDS algorithm is also suitable because it can be carried out on a progressive basis which allows the interruption of the partial process in such a way that a regular microprocessor task can be carried out before resumption of partialization. further, e] MDS algorithm is well suited for use in conventional microprocessor architectures. Other one-way partitioning algorithms that may be employed in accordance with embodiments of the present invention include, but are not limited to: Snerfu, H-Hash, MD2, MD4, Secure Hash Algorithm (SHA), and HAVAL. An expert in the field will be able to easily program a microprocessing to carry out the one-way biasing process. Public key algorithms use two keys, a publicly available key and a private key (secret), for tasks such as message coding and decoding, message authentication, and digital signatures.

Clients can be used in various ways to achieve different objectives. For example, if the goal is to keep a secret message, the private key must be protected by a receiver in such a way that only the recipient can. Decipher messages In such a case, the encryption key can be publicly known and it can be known that it is associated with a particular potential receiver. Even if the sender of the message can be sure of the secret nature of the information in this process, the recipient can not be sure of the authenticity of the person sending the message. If the person sending the message for decoding keeps the private (secret) key of a pair of keys secret, a recipient with a corresponding public key can verify the authenticity of the person sending the message, even if they are not sure of the secret. It is this last scheme that is used to authenticate a data transfer device in accordance with the present invention. The public key algorithms operate based on mathematical trap functions that make it impossible to calculate the private key from the public key by means of calculation. In the case of the well-known RSA (Rivest, Shamir, and Adleman) algorithm, security depends on the difficulty of factoring the product of two large prime numbers. The key selection begins with the selection of two large J. number cousins "p" v "q". qnp, multiplied together, produce a large number n. n - pq Equation 2 The coding key "e" is then chosen randomly so that "e" and (p-l) (q-l) are prime numbers. Finally the Euclid algorithm is used to calculate the decoding key, "d" in such a way that F = (pD (ql) Equation 3 ed = iímod F) Equation 4 The numbers "e" and "p" are the cla \ e public; the number "d" is the private key. Equation 5 provides the RSA coding process, and Equation 6 provides the decoding process. C = Me (mad n) Equation 5 M = C (mad n) Equation 6 An adversary capable of factoring "p" could use equation 3 to determine the modulus, F, and then determine the private key, "d", a from equation 4, given the public key "e". However, as indicated above, "n" is usually so large that said factarization is impractical. More details on the RSA algorithm can be found in the North American Patent Na. 4,405,829 from Ri ve t et al. In preferred embodiments of the present invention, the Fiat-Shamir algorithm (FS,), or a variant thereof (reference is made to American Fatepte No. 4,748,668 whose contents are fully incorporated herein by reference). The FS algorithm is adapted to implement an authentication scheme and digital signature suited to the limited computing capabilities of typical cellular telephones. The FS algorithm is different from the previous schemes, such as RSA, insofar as the FS algorithm uses factors based on 1 to the difficulty of finding the inverse of a quadratic residual (vi) module n. More specifically, the FS scheme includes the selection of a number "n" which is the product of two large prime numbers preferably comprised between 512 and 1064 bits in length. A public key (v): vi, v2, .... vl > , and a private key (s: sl, s2, .... si-, are generated in such a way that s? = sqrt (i / v?) mod n. It can be shown that the difficulty of finding the inverses (l / v?) mod n within the context of the above equation is equivalent to the difficulty of finding the factors of the prime number "n." Without sacrificing security, the algorithm runs much faster than other schemes. FS is superior to the RSA scheme insofar as an FS calculation requires only IX to 4"/. Of the modular multiplication normally required to complete the necessary authentication calculations.This corresponds to the authentication of the partial value signed at a speed which is up to two orders of magnitude faster than by using an RSA scheme to carry out the same task., the authentication of the data transfer device and the periodic comparison of the partial verification value can be carried out considerably faster using an FS scheme than by using a PSA scheme. When it comes to mass programming cell phones, or other electronic memories at the factory level, the use of the F3 algorithm reduces the production time because it generates m. «. quickly a digital signature of the valid partial values for storage. Other algorithms that may be applied include, but are not limited to, ELGAMAL, DSA, and Fiege-Fiat-Sha ir. In accordance with another aspect of the present invention, the controller equipment within a cellular telephone has security features that prevent a donor from determining the content of a protected memory or otherwise avoiding the previously described security schemes. Figure 11 shows a controller equipment, external memories, and details of a memory / address collector structure. Except in the case of the integrated circuit selection logic 1122 and the security logic 1124, the function of the controller operation in the controller is the same as that described for FIG. 4. The selected circuit selection logic 1122 decodes addresses in the microprocessor address collector 1102 in order to provide the equipment with selected signals for memory components and equipment devices connected to the collector 1102. For example, each time an address appears in the address collector 1102 that is assigned to the IROM 403 memory, the selection of an IPOM ICS chip is activated), the security logic 1124 operates to detect attempts to access the contents of the FSRA 4"or to re-initialize the computer-based timekeepers 401 through the use of the microprocessor instruction code stored in a memory device other than the memory IR0M 403. For example, an instruction Reading or writing located on flash memory 420 with a white address of a memory location on PSRAM 407 will be detected as an illegal operation. Any attempt at illegal access results in the microprocessor being forced into a stop state that requires a full re-initialization of the cell phone's energxa to resume normal operation. The safety logic is an implementation of the following logical equations: Logic equation t S - # E Equation l gi a 2 H lt - pot S * - + C) where the points S - separation mode: iSumvr = Transition of the mypracessor in supervision mode; A = Integrated circuit selection signal for the PSRAM memory; B = Circuit selection signal integrated into the IROM memory; C = Circuit sel-action signal integrated for equipment time; and Halt = An equipment control input to the microprocessor that causes it to be set in an infinite loop or in a permanent standby condition until the power supply is turned off and its reapplication to the telephone. Logical equation 1 above states the following: the security mode (S) is set when the transitions of my croproces designer, supepviction mode < at the same time that the integrated circuit IROM 403 is active ("B), logic equation 2 above establishes the following: the microprocessor stop input is activated if the controller 400 is not in safety mode (not S) and either the PSRAM 407 or the equipment timekeeper integrated circuit selections are active (• (A + C)). This logic effectively avoids skipping the security measures provided by the partial value comparisons and the authentication process previously described by the port that legitimates the PSRAM 40"7" to the 11-to-1 command < =; 401 equipment chronometers come preferably from the code stored in the IROM 403. All legitimate code located in the IR0M 403 t memory. boot code, partial code, public code, and authentication code) are preferably surrounded by instructions that cause the security mode to be stable at the beginning of the routine and deleted when they exit the routine. In a preferred embodiment of the invention, the software interrupt instruction (commonly available in modern microprocessors) is placed at the beginning of each routine in IR0M 403 to switch the microprocessor 402 in a monitoring mode and cause the signal to be activated. of SPVR microprocessor equipment.

? F? Er + o the integrated circuit TPOM 4 '"1'" tol r i ona a = eT. - * 1 which will be active at that moment, ^ e establishes the security mode S. The execution of a return instruction at the end of the security routine cancels the security mode. In accordance with another aspect. of the invention, the data transfer device comprises a security unit supplied by the factory which can be used in combination with a computer for general purposes. An exemplary arrangement is presented in Figure 12. A unit of -? Euurity 12"'" "' is fixed in an IQ port of a FC .I" "'" 1"through a standard connector .1.206. A second port in FC 1202 is used in combination with a second standard connector 1208, such as an F5-232 cable or infrared link, for interconnection with a cell phone 1204. The processes illustrated in FIG. This is done by using the arrangement illustrated in Figure 12 to carry out the cell phone reprogramming process.A factory-authorized service representative having a standard PC and a security unit 1200 is equipped to reprogram phones. In another embodiment of the invention, an existing cell phone with field programming capability can be offered that is safe against attacks that cause access to the internal circuit board assembly, E < Rotating is effective against the most common methods of cloning attacks where memory contents inside the phone are modified using accessible test commands through an external telephone connection. This can be done by updating a current cell phone to use the Data Transfer Device authentication procedure. OTD) (data transfer device) described in Figure 8 before granting access to field programming commands. Both the authentication software code and the public key are stored in the existing flash memory, which avoids changes to the current conventional designs. Exemplary applications of the invention were described in the context of coding systems by key and partialization of a path in accordance with what was applied to protect and program an electronic memory in a cell phone. Nevertheless, those skilled in the art will readily observe and recognize that any function, calculation, algarim, method or system appropriate for deriving a signature from memory contents can be applied in accordance with the present invention. In addition, the invention has been described with reference to particular embodiments. However, it will be readily apparent to those skilled in the art that it is possible to incorporate the invention in specific forms other than the forms of the preferred embodiments described above. For example, it is possible to incorporate the invention into any electronic memory and / or electronic memory access or programming device without departing from the spirit of the present invention. In addition, the invention can be applied and carried out in digital signal processors, application specific processors, or b in any other similar processor, or electronic memory oriented systems. Accordingly, the preferred embodiments described herein are merely illustrative / should not be considered as restrictions on the invention. The scope of the present invention is given in the appended claims, and not in the foregoing description and the present invention encompasses all variations * - 'equivalences that fall within the claims.

Claims (5)

1. FEIVINDI AGI? NE 1. Fn a cell phone, a device that includes: a mi cr opr ocesadpr; * • a memory; danrie e] icraprocesador performs a partial calculation on the contents of the memopa to deposit a partial verification value, said partial verification value is compared with a previously valid partial value derived from the realization of the partial calculation on authentic memory contents.
2. 2. The apparatus in accordance with the rei indication 1, where the partial verification value is periodically deposited and compared with the valid partial value. 3. The apparatus according to claim 2, wherein the periodic derivation of the partial value is carried out in accordance with the expiration of a team-based timekeeper. 4. The apparatus according to claim 1, wherein said memory includes a flash memory and an EEPROM. The apparatus according to claim 1, further comprising: a protected random access memo; where the partial calculation is carried out in combination with the protected random access memory. 6. The apparatus according to claim 4, wherein the derived verification value is based on content * - selected from the flash memory and from the EEFROM. 7. The apparatus according to claim 6, wherein the selected contents include a serial number le trónico. 8. An apparatus according to claim 6, wherein the selected contents include a microprocessor program code. 9. The apparatus according to claim 1, wherein the valid partial value is authenticated by means of the elan of a public key stored in the memory. 10. The apparatus according to claim 1, wherein the valid partial value re ibe a digital signature by the use of a private key. The apparatus according to claim 1, wherein the partial calculation carried out is selected within the group of instantaneous functions consisting of: Snerfu, H-Hash, MD2, MD4, MDS, Secure Hash Algopthm (SHA), and HAVAL. 12. The compliance apparatus of claim 10, wherein a public / private key system is employed which is selected within the group of algorithms consisting of: ELGAMAL, RSA, DSA, Fiege-Fiat-Shamir, and Fait-Sha ir. 13. The compliance apparatus of claim 5, further comprising a security logic, where the security logic monitors access to the access memory alea orio proteo) rio. 1 * 1- Fri a tel fo or cellular, a method to detect the manipulation of memory, the method comprises the steps d: 5 store a signed valid partial value produced by performing a partial calculation on selected contents of a memory, s knows that the selected memory contents are authentic; the production of a partial value of verification by means of the realization of the partial calculation on the contents of the memory; * - the determination of the partial value of verification with the valid partial value, thus a difference The partial verification value v and the valid partial value 15 indicate an alteration of the selected contents of the memopa 15. The method according to claim 14, wherein the step of producing the partial verification value is carried out in combination with a protected random access memory 0. 16. The method according to claim 14, which further includes the step of: signing the valid partial value with a digital signature based on a private key 5 i "7. The method according to claim 14, wherein the production value of the partial verification value and of comparing the national value (l «- * verifying the valid partial value = e It is carried out periodically, 18. The method in accordance with reification 14, where the step of testing the partial verification value will be carried out in accordance with the expiration of a team-based timekeeper. The method according to claim 14, wherein the step of producing the partial verification value includes < = &l calculation of partial value verifiying segments. 20. The method according to claim 19, wherein the calculation of a verification segment can be delayed as necessary while terminating other processes occurring within the cell phone. The method according to claim 14, wherein the valid partial value receives a digital signature, and wherein the step of comparing the partial value of verification with the valid partial value includes the step of authenticating the valid partial value against the signature. 22. In a cellular telephone, an apparatus comprising: a microprocessor; a flash memory whose contents include operating instructions for the cell phone; and an electronically erasable programmable and erasable read-only memory EEFROM whose contents include a valid partial value derived by performing a partial calculation of a vi a in selected parts of flash memory contents *. genuine EEFROM memory; where the microprocessor periodically generates a partial verification value by performing the partial calculation on the selected parts, said partial verification value is compared with the valid partial value authenticated to evaluate whether at least one of the flash memory / FEF ' ROM has been altered. 23. The aparate * rie conformance to] to claim ion 22, where the partial calculation of a ua is selected within the group consisting of: Snerfu, H-Hash, MD2, MD, MDS, Secure Hash Algopthm (SHA), and HAVAL. 24, The apparatus according to claim 22, where * 3 the valid partial value receives a digital signature by means of a private key before its storage, said value is authenticated by a public key for the purpose of comparison with the partial value check . The apparatus according to claim 24, wherein a selected public / private key system is employed within the group of algorithms consisting of: ELGAMAL, RSA, DSA, Fiege-Fiat-Sha ir, and Fait-Shamir. 26. The apparatus according to claim 24, wherein the valid partial value receives a digital signature by the private e-mail through the use of e-mails to the cell phone. 27. I ip system to proqra a cell phone, the system comprises; a data transfer device; wherein the cellular telephone initiates a challenge-response authentication process in response to an access request message received from the data transfer device. 28. A system to prevent unauthorized access to a cellular phone memory scheduling capability, the = > Ite to buy: an i the cellular phone, which includes memory to store data, * -a myprocessor that has a device to authenticate a public key; and a data transfer device that includes a microprocessor that has a digital private key signature device for supplying a signed message to the cellular mobile phone, said private key signature device corresponds to the public key authentication device; wherein the cell phone micro processor determines the authenticity of the data transfer device based on an analysis of a signed message supplied by the data transfer device. 2Q. A whole to evaluate the authenticity of a praarama device < mn cell phone, the method comprises the steps of: sending a challenge message in response to a request for 5 programming; sign the challenge message on the data transfer device using a private encryption key; send the signed challenge message to the cell phone; authenticate the signed challenge message within the phone I1 * cellular through the use of a public lave, said public key corresponds to the private encryption cla-e; to reject the data assignee if the error message is not retrieved by the authentication step. 30. In a system comprising a data transfer device for programming a cell phone, a method for preventing unauthorized access to a memory in the cell phone, said method comprises the steps of: sending a scheduling request from of the data transfer device to the cell phone; send a challenge message from the cell phone to the data transfer device in response to the request for traffic; sign a response message to the challenge within the 5 data transfer device using a p * iaa key, donfle "1 menje rie response to * to depends on the challenges of the challenge: send a response message to the signed challenge cell phone, authenticate the challenge re-bet message within the cell phone by using a public key that corresponds to the private wash, and enter a programming mode if the authentication of the signed response response message confirms the authenticity of the data transfer device 31. Uri system can program a cell phone, the system includes: a microgram, a general purpose computer that has a first port and a second port, where the scheduler is fi rmed to the first port, and the second port is used for communication with a cell phone to be programmed, where in response to a request for cell phone programming received by the program or, the cell phone returns a challenge, said challenge is signed by the programmer and returned to the cell phone for authentication, whereby the recovery of the challenge through the authentication of the signed challenge indicates the authenticity of the programmer and makes the telephone cellular enter a programming mode. "* C, 3?. Fn ui elular phone, an apparatus that includes: a microprocessor, where in response to a request to program the cell phone received from a programmer, the microprocessing on the cell phone sends a message of challenge to the programmer, said message (ie challenge is signed by the programmer and returned to the cell phone for authentication, so that a proper authentication of the signed challenge indicates the authenticity of the programmer and causes the cell phone to enter a programming mode T. In a cell phone, a system μTo prevent fraudulent access to memory, comprising: a seciupriad logic, an instruction code that contains a read-only memory, and a protected random access memory, where the security logic prevents access to the protected random access memory by elements other than the read-only memory 34. The system according to claim 33, further comprising a timed r based on equipment, where the security logic prevents access to the timekeeper based on elements other than read-only memory. 35. The system according to claim 33, wherein the ac > only the memory protected with confidence in an instruction code in the read-only memory can only be carried out when the system is in a supervision mode. ~ ^. In an electronic device, an apparatus comprising:? N icroμrüí esador; and a memory; where the processor performs a partial calculation of the contents of the memory to derive a partial verification value, said partial value of the verification is compared with a previously valid partial variance derived from the realization of the partial calculation on authentic contents. laugh memory.
3. 3. The apparatus according to claim 36, wherein the partial verification value is periodically derived and compared to the valid partial value 38. The apparatus in accordance with the indication 36, where the memory includes a flash memory. an EEPROM 39. The apparatus according to claim 36, wherein the partial verification value is derived based on selected contents of the flash memory and the EEPROM. 40. The apparatus according to claim 37, wherein the selected contents include a microprocessor programming code, 41. The apparatus according to claim 36, wherein the partial value val e, authenticated by using a public key stored in the emo ia. 42. The apparatus according to claim 36, wherein the valid partial value receives a digital signature by means of the? = - or of an indated key. 43. The apparatus according to claim 3 < , where the partial calculation performed is selected within the group of partial functions that consist of: Snerf ?, H-Hash, MD2, MD4, MD5, Secure Hash Algapthm (SHA), and HAVAL. 44. The apparatus according to claim 42, wherein an employed / private key system employed is selected from the group of public key algorithms consisting of: ELGAMAL, RSA, DSA, Fiege-Fiat-Shamir, * > Fait-Sha go. 45. In an electronic device, a method for detecting memory manipulation, the method comprises the steps of: storing a signed valid partial value produced by performing a partial calculation on selected contents of a memory, it is known that the selected contents of memory are authentic; produce a partial verification value by performing the partial calculation on the selected contents of the memory; and compare the partial check velar with the / alor 5 * ^ Valid branch, so that a difference between the partial value of the verification and the valid partial value indicates an alteration of the selected memory contents. 46. The method according to claim 45, which further includes the step of: signing the valid partial value with a digital signature based on a private key. 4 ~ *The method according to claim 45, wherein the steps of producing the partial verification value v of comparing the partial verification value and the valid partial value are carried out periodically. 8. The method according to claim 45, wherein the step of producing the partial verification value includes the calculation of partial value verification segments. 49. The method according to claim 48, wherein the calculation of a partial value segment of verification can be postponed the necessary time while other processes that occur within the electronic device end. 50, The method according to claim 45, wherein the valid partial value receives a digital signature, and where the step of comparing the partial verification value with the valid partial value includes the step of authenticating the valid partial value against the signature . 51. A system for programming an electronic device, the rumprpnHp system; a data transfer device; where the electronic device initiates a challenge response authentication process in response to an access request message received from the data transfer device. 5, A system to prevent access to memory, said system comprises: a security logic; a read-only memory containing a hardware code; * 'a memory d «= > protected random access; where the security logic avoids access to the random access memory protected by elements other than the read-only memory. 53. The system according to claim 52, further comprising a timekeeper based on equipment, where the security logic prevents access to the timekeeper based on equipment for elements other than the read-only memory. 54. The system according to claim 52, wherein accesses to the random access memory protected in accordance with the instruction code in the read-only memory can be carried out only when the system is in a monitoring mode. FE-SUM OF THE INVENTION Methods and apparatus are presented to prevent the unauthorized manipulation of memory in an electronic device, such as a cell phone, an electronic device having a memory and a processing device containing a logic that is used to carry out a partial calculation of a single route on the content of the memory of the device, whereby a partial value of verification or signature of said content is derived. The partial verification value is compared to an authenticated valid par value derived from authentic memory content. A difference between the partial verification value * - 'the par value < The validity may be an indication of an authorized manipulation of the memo. In accordance with another aspect of the invention, the content of the memory of an electronic device can be updated by an authenticated data transfer device before it can access the contents of the memory. The data transfer device authentication includes the use of a public / private key coding scheme. When the data transfer device interconnects with an electronic device and requests access to memory, a process is initiated to authenticate the data transfer device.