MXPA99011751A

MXPA99011751A - Chip card comprising means for managing a virtual memory, associated communication method and protocol

Info

Publication number: MXPA99011751A
Application number: MXPA/A/1999/011751A
Authority: MX
Inventors: Nassor Azad
Original assignee: Cp8 Technologies
Priority date: 1998-04-15
Filing date: 1999-12-15
Publication date: 2000-06-01

Abstract

The invention concerns a chip card (21) comprising data processing means and main data storage means, wherein the processing means include:means for detecting, while the chip card is operating, that the main storage means contain an amount of data such that an operation cannot be executed;means for selecting, in the main storage means, a set of data to be unloaded (K), whereof the unloading can release in the main storage means a space sufficient for executing said operation;means for unloading the set of data to be unloaded (K) into secondary storage means (23 to 25), in the event said secondary storage means do not contain said data set to be unloaded. The invention also concerns the associated communication method and protocol.

Description

CHIP CARD COMPRISING MEANS TO MANAGE A VIRTUAL MEMORY, PROCESS AND COMMUNICATION PROTOCOL 2 ± ASSOCIATES - DESCRIPTION PE THE INVENTION ^ The present invention is concerned with a chip card comprising means for administering a A chip has been able to take a great place in today's life. The banking domain is the first interested in microcircuit cards: its main advantage is to reduce fraud. The companies of television by payment and radiotelephony use them as a means of managing keys that serve to encrypt and decrypt the encrypted broadcasts. To ensure security, a new integrated circuit architecture has to be created. Electronic purse-type cards ^ contain a sum of electronic money; other so-called loyalty cards provide financial advantages to their owners. "As will be seen, the devices in relation to the microcircuit cards and more particularly the microprocessor cards are usable in a more or less large number of applications. At first, the operating system of the ^ cards, ie the program located in ROM memory, can not generate more than one * _ only application. The Z system REF .: 32226 operative is registered at the time of manufacture of the microcircuit. By increasing the size of the program memory (ROM) and the non-volatile programmable memory (EPROM and EEPROM nowadays FeRAM), the operating system can execute more functions. However, the number of these functions is always limited by the size of the ROM. In addition, the addition of a complementary function in ROM "involves making a new variant, this variant is very expensive and not really profitable, but only if a large number of cards are involved. ** • A means to increase the number of these functions without touching the ROM memory, it consists of writing the executable program in the programmable memory, as well as the data that allows it to function, thus adding complementary functions to an operating system that initially has only a fixed number of functions. Patent FR-A-2, 748, 134 describes a means for loading the program into the programmable memory, however, the programmable memory is of a limited size: once filled with a program, it is not possible to add functions. storage of this program is done to the detriment of the place of memory destined to the data in the programmable memory.The above method is used to correct certain impe rfecciones of the program located in ROM or to add some other functions. If a card must execute a "program of a very important size, the method described in this document can prove to be insufficient." The present invention aims to solve this problem by proposing a method of loading and unloading the programmable memory according to the wishes as far as to the programs and / or the application data, for a "" data processing device constituted by a card, thus, it is possible to execute a wide variety of applications such as: electronic purse, banking application, GSM telephony or health application currently experimented in France With the help of the present invention, the applications that have been listed are virtually on the card, the card owner preloads them, thus, the card is configured according to its own wishes. also solve another problem A user may have the desire to open the same application twice at the same time. The application of this application in a data processing device, such as a card, lasts a certain time. In order to accelerate the treatment, it is advantageous to be able to start a second application execution before the end of the first one. Thus, the same program is developed twice at the same time.

The object is obtained by the fact that the JX- "" "" '& • "- '*?" card is endowed with an operating system comprising by, il - - * fc- '-. "- '-'" -.'- the mfnos three functions: .sf; 2. - Loading data disapplication. - * - Download of application data. J - Application data_ execution. J X To acquire .... a ji eva ... application, the card receives application data _in its memory. programmable and controls this data. ., __ "",. "^ At the time when an order received from a reader who cooperates with the card ..", in order to execute an application, the operating system of the card analyzes the contents of its memory and Determine if it is_, convenient to call the_. network to download a part of your memory and / or reload the 2datos of application downloaded previously. £. At the time of the recharge of the application data, the operating system of the card verifies that the loaded data has been validated by the same in the past. These data are then executed, J The network can be considered as an extension of the card's programmable memory: it finds what it can not save in its own memory, it controls, during the reload, that the data received from the network are those that had previously sent.The ROM of the card must have a memory management mechanism programmable that allows you to load and execute an unlimited number of applications. Thus, the sizes of the ROM and programmable memory of the card are no longer a limitation to the number of executable applications and there is no need to make a new variant during the addition of applications. __ - In summary, the invention is concerned with a chip card comprising information processing means and data storage means or main memory means, characterized in that the processing means comprise: - means for detecting, during the operation of the chip card, that the data storage means or main memory means contain a quantity of data such that the execution of an operation is not possible; means for selecting, in the data storage means or main memory means, a set of data to be downloaded, wherein the download can release in the main memory means a sufficient space to authorize the execution of said operation; -_ - means for downloading the data set to be downloaded into the secondary memory means, in the case where the secondary memory means do not contain the data set to be downloaded.

The invention is also concerned with the associated method. It is finally concerned with a communication protocol between a chip card and a chip card reader, the card comprises ^ data processing means - * and data storage means or main memory means, characterized in that it comprises the steps which consist of: _ - the reader transmits to the card an order to execute an operation; ~ "" - the card searches if, to execute this operation, it has a sufficient place in the main memory means; - - if affirmative, the card executes the operation and then transmits an execution summary to the reader; ~ X - in the negative case, the card selects from the main memory means a set of data to be downloaded, where the download can release in the main memory means a sufficient space to authorize the execution of said operation, then the card download the data set to be downloaded to the secondary memory media when transmitting a download order to the reader, in the case where the secondary memory means do not contain the data set to be downloaded, then execute the operation and then finally transmits a summary of execution to the reader. Other details and advantages of the present invention will appear during the following description of some preferred but non-limiting execution modes, with respect to the accompanying drawings in which: Figure 1 represents a data processing network used by the invention; Figure 2 represents a data processing device, used in Figure 1 and which cooperates with a chip-stage; __ Figure 3 represents a variant of Figure 2, in which the data processing device integrates the functionalities of the chip card; Figure 4 is a variant of Figure 2, wherein the data processing device is equipped with a reading device of an optical track and X Figure 5 represents a variant of Figure 3. i- In Figure 1, a terminal 20, suitable for reading a chip card or terminal _22 that integrates chip card functionalities that cooperates with data banks 23 to 25 distant and linked together by a data communication network 26. The communication network of data 26 is in particular a telephone network, the Internet network or any other data communication network. Each bank of data comprises a central data processing unit that manages a memory. According to the invention and as later specified herein, the card 21 or the terminal 22 can, when they detect that the load of a new application in them is not possible due to a lack of memory location, decide to download towards a data bank 23 to 25 another application. This download frees up enough memory space to accept the new application. If the card 21 or terminal 22 subsequently have the desire of the downloaded application, they will send an order to the corresponding data bank to reload the application, after having, if necessary, released the memory location again for an application download . The constitution of the terminal 20 and of the card 21 is illustrated in figure 2. The terminal comprises in a manner known per se a microprocessor 2 to which a ROM 3 and a RAM 4 are linked, means 5 for "cooperating with or without physical contact with the chip card 21 and a transmission interface 7 that allows the terminal to communicate with the data communication network 26 of Figure 1. The terminal 20 may furthermore be equipped with storage media such as disks or disks removable or not, means of output (such as a keyboard and / or a pointing device of the mouse type) and means of screen or means indicators, these different means are not represented in figure 2. The terminal can be constituted by any computer device installed _in a private or public site and be able to provide means of information management or supply of various goods or services, this device is installed fixed or portable. In particular, it can also be an apparatus dedicated to telecommunications. On the other hand, la_tar eta 21 carries a chip including data processing means 9, a non-volatile memory 10, a volatile working memory RAM 14 and means 13 for "" cooperating with the terminal 20. This chip is arranged to define in the memory 10 a secret area 11 in which the data once recorded are inaccessible from the outside of the chip but only accessible to the processing means 9 and an accessible area 12 that becomes accessible from the outside of the chip by the microprocessor 9 for a reading and / or writing of data. Each zone of the non-volatile memory 10 may comprise a non-modifiable ROM part and a modifiable part ™ EPROM, EEPROM or constituted by "flash" RAM memory or FRAM (the latter is a ferromagnetic RAM memory), that is to say it senses the characteristics ^ of an EEPROM memory with, in addition, access times identical to those of a classic RAM.

As a chip, a self-programmable non-volatile memory microprocessor, such as described in U.S. Patent No. 4,382,279 in the name of the applicant, could be used in particular. As indicated in column 1, lines 13-25 of this patent, the autoprogrammable character of the chip corresponds to the possibility for a program fi located in a ROM memory to modify another program f located in a programmable memory in a program gj. In a variant, the microprocessor of the chip is replaced or at least complete by logic circuits implanted in a semiconductor chip. In effect, such circuits are apt to perform calculations, in particular authentication and signature, thanks to wired and non-microprogrammed electronic components. They can be in particular of the ASIC type (from the English "Application Specific _ Integrated Circuit": Application-Specific Integrated Circuit). As an example of ASIC, mention may be made in particular of the component of the company SIEMENS marketed under the reference SLE 4436 and that of the company SGS-THOMSON marketed under the reference ST 1335. Advantageously, the chip will be known in monolithic form. A variant of Figure 2 is illustrated in ^ - * - Figure 1 where the terminal 22 of Figure 1 comprises, in addition to the elements of the terminal 20, those of the card 21 arranged in a module 15, the common elements to the two figures 2, 3 they bear the same references. However, the cooperation means 5, 13 of Figure 2 are replaced by a permanent link between the microprocessor 2 and the microprocessor 9. A variant of Figure 3 is illustrated in Figure 5. Here, the terminal 50 does not it comprises more than a single microprocessor 15 or equivalent, linked to a RAM memory 52 and a non-volatile memory 53. The non-volatile memory 53 comprises an area 54 that is made accessible from the outside of the terminal by the microprocessor 51 and a secret area 55. accessible only to the microprocessor 51. The microprocessor 51 has the autoprogrammable characteristic of the microprocessor 9, described in relation to figure 2. Finally, the terminal 50 has a transmission interface 56 that allows it to communicate with the data communication network 26 of the Figure 1. The following description will refer, in a non-limiting manner, to the embodiment of Figure 2 and terminal 20 will be referred to as "lec or" due to its f card reader 21. The card's memories are organized as follows: a ROM-type memory, a RAM-type memory and a non-volatile programmable memory of type EEPROM or FLASH. As illustrated in Table 1, the ROM contains a base operating system zone that it comprises at least subprograms or routines such as those of input / output and write / read in memory and a zone of the operating system of a virtual memory, this virtual memory is constituted by the memory of data banks 23 to 25. The base operating system and the operating system of the virtual memory together form what will be called "the card operating system" hereinafter. _ The operating system of the virtual memory is able to manage preferably at least nine commands or commands. Four commands are at least sent by the reader to the card: _ = 3"- - Loading applications on the card. * ~ - Execution on the_ card of the previously loaded applications X - Deletion of the applications on the card - Control of the presence of applications on the card J Five other commands or commands are sent by the card to the reader: - Download of applications to the network - Recharge of applications from the network - Suspension of the loading process - Resumption of the loading process - Deletion of the applications in the network.

In a particular embodiment, the operating system of the "virtual memory" filters and transmits to the program of the application loaded in programmable memory all the commands received from the outside that must be treated by this program In the present text, the term "information "designates any executable program or non-executable data in general.The term" application "designates a particular program intended to implement an application of a service provider or of products and data of associated applications, still with reference to table 1, the programmable memory comprises at least three zones: X - a first zone called "of the system data" containing a code "C" identifying the card; "J - a second area called" of the administration data "which contains the application administration data, namely a signature key called "SWAP" particular to each card, one or more encryption keys in loops depending on the case to application providers or to particular applications and a table called " _APPLI" and - a third area called "load" used to receive the application data, ie the program executable and / or the data necessary for the operation of this program. At first, the card can be given to its carrier with a loading zone_ and an empty _APPLI table. At least the SWAP cable is located in the secret area 11 of the non-volatile memory 10 of the card. Application data load area Management data zone (SWAP, TAB APPLI, • • •) System data area (C code, ...) Operating system zone of _Voice memory (ROM) Operating system zone Base (ROM) Table 1 The table _APPLI contains the data corresponding to the applications available on the card, whether these applications are physically contained on the card, or those that are virtually contained on the card and then downloaded to the network . It has the following structure: Table 2: TAB APPLI X The table _APPLI includes both lines and applications that become available for the card and for each line, five columns. A first column defines an identification code I, J, K of the application. A second column defines an ADR-I, ADR-J, ADR-K storage address from which the application is stored in a card. A third column defines a number of octets that "" represents the amount of data in the application. A fourth column defines a signature that takes over the set of octets of the application, calculated by using an algorithm and the SWAP key of the card as a secret key. As an algorithm, a symmetric algorithm can be used, such as "the D.E.S. (from the English data Encryption Standard) or asymmetric such as the R.S.A." (from the authors Rivest, Shamir and Adleman); however, advantageously, it will be sufficient to use a simpler function, such as a cutting function such as DM5 or SHA or a function such as the "or exclusive" because, within the framework of the invention, the signature does not leave the card and it is thus preserved. Finally, a fifth column defines whether the invention concerned is in a state "loaded" on a card or "downloaded" in a data bank. In a first time, a card carrier or an application provider wishes to load on the card a first application that has an identification code "K". The execution of a "load" order may be conditioned by "an authentication of the carrier or the application provider carried out." The -known authentication mechanism itself consists, for the carrier or the application provider, of providing the card with information that allows it to ensure that it dialogues with a qualified interlocutor. . "The loading order contains a loading order, the C code of the card, the K code of the application and the number of octets n of data corresponding to this application, which gives the following order format: Load order Card C Appli K number n * 2 Once the order is received by the card, the operating system of the card verifies that the code C sent is the same as that registered in the data area of the system. If not, the card forwards an error message to the network. In the affirmative case, the application data is then destined for this card: the operating system of the card then reads the _ ^ APPLI table in the administration data area to determine whether it is an initial load or not. At first, _APPLI contains only data from the K application; if this is not the case, the card responds to the reader by means of the message "application already loaded"; if this In this case, it is an initial charge. The operating system of the card determines if the n octets can be housed in its memory; if so, it calculates the starting address "ADR_K" of a_ first block of octets available in the loading area. If not, it forwards the message "insufficient memory". Finally, the card indicates to the reader that it can send the n bytes of the application, with the help of the "OK_load" response. The reader then sends the n bytes of the application. Once the application data is stored in programmable memory, the operating system of the card calculates the signature "SGN_K" of this data. Then, enter the application code K, the storage address ADR_K, the number of octets n and the signature SGN_K in table _APPLI. Once this operation is carried out, the "Load / Unload" indicator is positioned in "Load". The update of the table _APPLI is completed, the operating system of the card can then send a summary, through the reader, to the card carrier or to the application provider, which indicates that the application load has been correctly performed. . The TAB APPLI table then has the following structure: Table 3: _APPLI ^ - According to a first variant, the operating system of the card can launch, just after loading, the executable program contained in the application data, that is, in the _data of the application. This allows the application data to be initialized or adjusted to initial values. For example, in the case of an electronic wallet application, the first execution of the program allows initializing or adjusting to initial values to Frs the balance of the purse written in the memory. According to a second "" "variant, the executable program is launched after a first order_ sent by the reader to the card and when calling the application considered.Simply, the address of the start of the execution of the application is "ADR_K", but an indirect address can be used: the designated address is then in a manner known per se in the microprocessor domain, the contents of the indicated memory [ADR_K] containing the execution address. the card orders that specify the type of application; for example, this type can be encoded in the first five octets of a Order in accordance with ISO 7816-3; this octet is called in the norm: "CLA". The operating system of the virtual memory of the card controls the orders sent by the reader and determines the code of the application corresponding to the order. Then, read in the table _APPLI if the code is written; if this is the case, the card can run the K application. If this is not the case, the card can not execute the K application: it responds by sending an error message. If the K code is written in _APPLI, the value of the "Load / Download" indicator is tested immediately. If it is positioned in "Load", the application data is present in the "programmable memory of the card." In this case, the operating system of the card shakes hands with a program of the application located at the address ADR_K or [ADR_K You will now see what happens when the programmable memory of the card does not contain application data, because they have already been downloaded - Suppose now that the card carrier or the application provider wants your card to contain the data of a second application, called "J" for example, this is possible when loading the application data "J" into the programmable memory of the card In the same way as before, the card carrier or the application provider is authenticated to the present a secret followed by the data loading order _of the following application: Load order Card C Appli J number m It is presented as the previous one in relation to the loading of the application K; here the number of octets of the application is m. The operating system of the card checks the C code and looks for the first block of m octets available in the programmable memory. Suppose that the programmable memory can not physically contain at the same time the two blocks of application data constituted by the application K and the application K, but may contain the application J if it downloads all or part of the application K. The card informs the reader that suspends the process of loading the application J with the help of a specific order sent to the reader and then decides to download the application K in a second data bank that can be considered as the virtual memory of the card. This download will free memory location to load the application J. The download then consists of transferring in one of the data banks 23 to 25 of the network intended in particular to the current card, the particular application data for this card. For the signature calculation performed during the download, the card is assured of being able to control the integrity and authenticity of its own data after a subsequent reload. In addition, the Having already made the signature calculation after the initial load optimizes the execution time of the discharge order. The card sends the following order to the Reader: "This command includes, as the load command, the C code of the card, the K of the application to be downloaded and the number of data octets of the application, it also includes the content of these n bytes of data transmitted to the reader at the same time as the download order.In the case where the download of the application intervenes after a part of it has already been executed, the context data, allow to resume later the execution of the application in the site where has been interrupted, they are either stored in the programmable memory of the card, either added to the n bytes of data of the application and downloaded at the same time as those in the network.It is possible to indicate an identifier of the recipient in the form of a network address, advantageously, the network has a correspondence table that associates each card with the address of the data bank that is particularly assigned to it. eta have to store the ^ address or the identifier and to "gather in the same bank all data data downloaded from the same card. ~ The reader receives the order, but recognizes that it is destined to the network: it forwards it to the data bank to which it is addressed. network has several data banks, the choice can be made based on the card code C. The data bank receives the n bytes of application data and resends the card, "via the reader, an acknowledgment of good reception that indicates that storage has been done well. The card then modifies the table _APPLI when positioning the Load / Unload indicator in "Unloaded". The memory location occupied by the application data K becomes "available." The loading operation of application J can then be resumed and the card sends the reader a command to resume the charging process; the loading operation is performed identically to that of K. The operating system of the card determines the storage address ADR_J of the octets of the application J and indicates to the reader by means of a message "OK ^ Load" that it can send the m bytes of data of application - The reader sends Tos m bytes of application data that are written from the address "ADR-J" Unaware that the data of the application J are stored in programmable memory, the operating system of the card calculates a signature of them when performing a cryptographic calculation with the help of the SWAP key. Finally, the operating system updates the table _APPLI when writing the code J, the values ADR_J, m and SGN_J and updates the indicator "Load / Download" when positioning it in "loaded". The operating system can then send the reader a summary indicating that the load has been carried out correctly. The _APPLI table then has the following values: TABLE 4: -APP I Once the update of the table ^ APPLI is finished, the operating system of the card can then launch the application J in the same way that the application K has launched and the card executes the execution order that the reader had sent him. If the cardholder or the application provider connects his card to a reader and wishes to run the K application again, the card's operating system analyzes the contents of the _APPLI table to determine if this application is accessible with this card. If present, application K is registered in _APPLI, but it has been downloaded to the network. Another application is in memory, it is J and it occupies m octets. The operating system then tests whether the application K that occupies n octets in memory can be loaded into what remains available from memory. As previously assumed, the answer to this test is negative. The operating system then decides to download the current J application in order to reload the K application. The order, issued by the card, of downloading to the network of J is: Once the operation has been carried out, the load indicator of application J in _APPLI is ** set to "Download" position. The place of memory remains available, the operating system sends the reader a reload order from the K application from the network. This order has the following format: The reader receives the order and forwards it to the data bank associated with card C. The data bank that "owns the data of card C receives the order and searches in" "it files this card, the n bytes of data of application related to application K. The data bank produces the following message, which is the response to the last order of the card.This response is transmitted to the card via the reader: The operating system of the card can verify that the codes C, K and the value n received are identical to those of the discharge order issued previously. If the identity is carried out, the order is continued by the reception of the n bytes of data that are written from the address ADR_K in the loading area, this address is for this purpose read by the operating system in table ^ APPLI or recovered from reloaded context data. At the same time, the operating system calculates the signature of the n bytes written by means of a cryptographic calculation that uses the value of the SWAP key. The recalculated signature is then compared with the value written in the table _APPLI. If the data received from the network are not identical to those previously downloaded, both Signature values will not be equal. There is then a doubt about the authenticity or integrity of the data received. The loaded data can not be executed. The card forwards to the reader an error message that indicates a reception of erroneous data during the last loading operation and makes it impossible to execute the application K; the operating system does not put the load indicator in the "loaded" position; if necessary, you can delete the contents of application K. If, on the other hand, the two signature values are the same, the data received corresponds well to the application, the operating system of the card updates the table _APPLI when putting the indicator of loading the K application in the "loaded" position. The table _APPLI then has the following values: _ Table 5: TAB APPLI Once the table update is finished _APPLI, the operating system launches the K application as it described above and the card can execute the last command of the application type sent by the reader. ^ It has been described above that during receipt by the card of a loading order of an application not currently stored, the operating system of the card tests the available memory location. If it is sufficient, the load can be put into operation without downloading the application currently in memory. There are then two applications on the card. The table _APPLI takes' then the following configuration: Table 6: TAB APPLI In this example, two I and K applications cohabit on the card: they are directly executable. A third J application is accessible with the help of this card, but it needs to be reloaded from the network. The non-volatile memories of the card contain the following "data: ADR-K ADR-I Free Application program K Application program I Application data K Application data I Administration data (SWAP key, TAB APPLI, ...) System data (code C. Operating system Virtual Memory (ROM) Base Operating System (ROM) This table corresponds to the aforementioned table 1, in which the loading area is detailed as follows: it can be seen that the area of = application data loading comprises three subzones: a zone that receives the data of the application K, a zone that receives the data from application I and a free residual zone that is smaller than m. In light of this example, the features of the invention will be better understood. The card is equipped with a minimum operating system that allows you to manage the memory location, upload or download applications, sign application data to download to the network, verify application data downloaded and received from the network when comparing signatures and launch applications loaded in memory. The signature allows you to verify that the application data stored in the database has been previously loaded on this card. The reader is equipped with a program that recognizes the download and recharge orders of the card and media para_ transmit the orders to the network. Finally, the network is equipped with data banks, the memory of these banks can be considered as an extension of the programmable memory of the card. As seen in the preamble, the registration of routines in programmable memory to modify the operation of the program in ROM can only be done by people who know this program. The jumps to these routines and their returns in the ROM program need to know precisely the addresses, the input and output parameters of these routines, the use of working memory, etc ... The present invention solves this "problem to the avoid using these routines and as a consequence, disclose the specifications of these routines, authorizing the execution of numerous applications in the ROM program.The creator of this program can indicate the entry points to certain routines called elementary: octet reception, octet emission , writing of n bytes in programmable memory, cryptographic calculation, etc. A first improvement of the invention consists in encrypting the application data to protect them from their different transfers between the data processing device destined to receive the applications (such as card 21 or terminal 22 of figure 1) and the network and after its storage from card 21 or terminal 22. A first application encryption is concerned with the initial load of the application for an application provider and uses a secret base key, stopped by the data processing device and the application provider located in the network; in the case where the data processing device is a card, its reader ignores the base code. Advantageously, each application is encrypted with an appropriate diversified key, obtained from the base key and from a diversifier constituted by a specific parameter of the application, for example, its K code or its storage address ADR_K in the programmable memory. This diversifier can be stored in the table _APPLI in such a way that the operating system can easily recover it during loading / unloading orders. In the initial load of the application by the application provider in the data processing device 21 or 22, this provider calculates the diversified key associated with this application and encrypts the application by means of it before sending it to the network; at the reception, the data processing device calculates the diversified key associated with this application and the decode with it, before storing it in the load zone of the programmable memory. A second description of the application is concerned with the downloads and reloads performed by the data processing device 21, 22. During a download of the application by the data processing device 21, 22 to a data bank, the application is again encrypted by this device. The encryption key used does not have to be divided by the data processing device with another interlocutor, such as the application provider; it does not matter which key generated by the data processing device is convenient, because this same device and only the one, will perform the subsequent decryption. Advantageously, the card may use the method described in US Pat. No. 4,907,270 which is intended to provide a method for ensuring the authenticity and integrity of an encrypted message. - The encryption described above allows to avoid that the application data can be discovered by a fraudster ^ and prevents the fraudulent copy of the application programs ^ In addition to the orders described above, it is possible to provide two complementary orders: an order of Deletion of applications and an order to control the presence of applications on the card. The application deletion order consists, for the cardholder or the application provider, of sending an order to the card to suppress applications that are not useful; Its format is as follows: It comprises an order of deletion of applications, the code C of the card concerned, the K code of the application and eventually the number n of data bytes of the application. If the concerned application is loaded on the card, the operating system of the card makes available the memory space reserved just for application K. If instead, the application K is downloaded to a data bank, the card sends to the same an erase order that has the same format as described above.

Finally, once the deletion order has been executed, the operating system deletes the line from table _APPLI concerning this application. The order controlling the presence of card applications can take two different forms. The first form of the order allows the cardholder or the Application provider ask the card if it owns a particular application; Its format is as follows: ~~~ "It comprises an order to control the presence of applications, the C code of the card concerned, the K code of the application and possibly the number n of octets of data of the application.The second form of the order allows the card carrier or application provider request the card the set of lines from its table _APPLI, with the obvious exclusion of the signatures and possibly the number n of octets and the load indicator.The order format is the following : - Control order for the presence of applications Card C "A second improvement of the invention consists in not triggering the download of an application to the network until it is necessary, if at the moment where memory must be released, the loaded application has not been modified and if the network already has the same application data of this application, it is not useful to download this data.

Improvement is intended to prevent the storage of the same application data values in the network several times. = To place this improvement it is necessary to modify the table _APPLI, here is the new structure: Table 8: _APPLI A sixth column has been added to the table, which contains an indicator called "Modification", which can take two values: Yes or No. During the initial loading of an application, the indicator is positioned in "Yes": this value indicates that it is necessary to download "the application data to the network to free the corresponding memory location, on the contrary, after a reload order of the network, the indicator is positioned as" No ": this value indicates that the application data stored in programmable memory of the data processing device (card 21 or terminal 22 of figure 1) are identical to those stored in the data bank of the network, while the indicator remains "No", the system The operation of the data processing device does not effect any order of downloading the application, it only positions the indicator in charge in the "unloaded" position so that another application can take its place.

In Memory. The indicator is positioned in "Yes" when the application data is modified; as a consequence, the signature value is no longer exact; I would need to recalculate it from the download. jj d This modification can intervene in at least two cases. The first case is an update of the application program, either to make it more functional by adding complementary functions, either to correct a defect. The second case frequently arrives when, in the programmable memory of the data processing device 21 or 22, the data is mixed to the application program. For example, an electronic wallet application contains both the "programming elements to manage the debits and the credits", but also the balance data. In each use, this value evolves in general and thus, the "modification" indicator is always taken in "Yes" position. This last example provides a third improvement of the present invention. It can be seen that the application data exists both in the executable program and in the application data values which are likely to evolve frequently, The means described in the third improvement described hereinafter permit the separation of the two types of data. treatment data then choose not to download to the network more than the data that have been effectively modified.

To carry out this third improvement, it is convenient to perfect the organization of non-volatile memories, which can be schematized in the following way: Application program (programmable memory) Data Data Evolutionary evolutionary application data sequence 1 sequence 2 Administration data (SWAP key, _APPLI ,. ") in programmable memory System-type data in programmable memory (code C, ...) Virtual memory operating system (ROM) Base operating system (ROM) Table 9 Table 9 differs from Table 1 cited above for the structure of its programmable memory discharge area, which is presented as follows: a block relating to the application as such and _s- "** • comprises two sub-blocks of data: _ - a block relating to the executable program of the application, indicated as" application program "; - - a block relating to the evolving (non-executable) data of the application, indicated as "application data"; _ - a certain number of evolutionary (non-executable) data blocks correspond to particular executions of the executable program: these executions are called later "sequences". By definition, the data of a sequence are temporary, that is, those that are used only during this sequence and after preceding or following sequences. This is what distinguishes them from the "application data" cited above, which are used during all secs. In Table 9, two blocks of sequence data are represented, indicated as "evolutionary data sequence 1"and" sequence 2 evolutionary data. "The role of these different blocks of data will be explained in the following example. * ~ To perform this third improvement, the table P * 4 **> TAB APPLI is modified, has the structure following: Table 10: _APPLI With respect to the table _APPLI 2 cited above, this table presents the following differences. The first column specifies, in addition to the code of the application, the number "i" of the sequence concerned.

The data treated are in two groups: those related to the executable program and those data of the application and those related to the evolutionary data of the sequences.

For each group of data there are the following four columns of table _APPLI 2: storage address, number of octets, signature, load indicator.

Each line in the table corresponds to a given sequence P / l or P / 2 the two relative to an application P or a sequence J / lo J * / 2 the two relative to another application J. In different cases of the table, the code of the application is mentioned to remember that the considered value is relative to a given application; for example: - ADR-Cod P: storage address relative to the application P, - j-cod: number_of octets relative to the application "J. j2jj On the other hand, the symbol" Cod "indicates that the value considered is relative to information of the type "application" (program or data of the first group), while "Dat" indicates that the value considered is relative to information of type "sequence" (data of the second group); for example: - SGN-cod-P: data signature (program or data) related to application P, SGN-dat-J / 2: data signature relating to sequence No. 2 of application J. An example will describe better the problem posed and the way to solve it using the present invention. ? * The data processing device (card 21 in this case) receives an initial load order from the application P: payment application of the electronic cash-flow type (PME). The application data stored in programmable memory is "the executable program and the data relating to the application, they do not have evolutionary data corresponding to a sequence." These data comprise n-Cod bytes stored from an ADR-Cod-P address. load indicator is positioned in "loaded." In addition to the data concerning the executable program and the application data, the data transmitted during the order contain a number of evolutionary data bytes "p-dat" relative to a sequence i. Table _APPLI then has the following values: Table 11: TAB APPLI The transactions are validated by an electronic circuit called the security module. This module can be located either in the reader terminal of card 20 of figure 1, or, if a maximum security is desired, in a banking settlement center that can be located very far from terminal 20. A transaction of the PME type It is developed in several stages that need communications between the card, the terminal and the security module. The purchase can be made at the home of a merchant provided with a terminal with a module, but it can also be found at the address of the cardholder where the terminal is not equipped with a module. J The card is requested to make a purchase for an initialization order of a transaction. The operating system of the card recognizes an application-type order; interrogate then your table _APPLI. Questioning the table tells you that the application corresponding to the order is well loaded and any sequence has not been assigned. The operating system then initializes a sequence by assigning it a number "1" for example, it grants this sequence a place of memory of "n-dat" octets, starting from the address ADR-Dat-P / 1. The load indicator corresponding to this sequence is positioned in "loaded". Table _APPLI_poses then the following values: Table TAB APPLI 12 Then, the operating system of the card launches the application program when making a jump to the address ADR-Cod-P; specifies the ADR-Dat-Pl address of temporary data to be used, which allows the application to know the site where the sequence data are stored in memory. These data are, among others, the amount of the transaction, the object of the transaction, the selling organization and the date of the transaction. On the other hand, such data coms the balance of the electronic purse is not a temporary sequence data, because its duration exceeds that of a sequence; is of the application type, this data is stored in memory with the program of the application. The purchase of a first product is in progress: the card then sends the reader 20 a message in order to obtain a validation of the transaction from a payment center accessible through the network. This communication may last a certain time. In effect, communications can be altered and the data sent can be analyzed extensively by the banking settlement center. 2 This causes a lengthening of the overall duration of the transaction. During this time, the user decides to make a second purchase. The present invention will make it possible to avoid reaching the end of the first transaction to begin the second. ~ To make this second purchase, the card is requested a second time for a new order of initialization of a transaction. In the same way as the previous one, the operating system of the card verifies that the executable program of the PME application is loaded in programmable memory. This verification is carried out when interrogating its table _APPLI; the operating system then recognizes the presence of the program and a sequence (1) that is in progress. For this, this second execution affects a new sequence number (2) and initializes the _APPLI table when adding a new line to it. Then, verify if there is enough room to allocate n-dat octets in the programmable memory for the data of non-executable data types. If the location is sufficient, a new ADR-pAt-P / 2 address is determined and the second transaction can be launched. The TAB APPLI table has the following values: Table _APPLI 13 The two transactions will now be carried out in parallel on the card, without calling the network. The reader must indicate in the application orders sent to the card which transaction is involved. If the place is insufficient, the operating system of * the card decides to download only the evolutionary data corresponding to the first transaction (number of sequence 1). It then calculates the signature of the data of the first sequence "SGN-dat-Pl / 1" and inscribes them in the table _APPLI. The new non-executable data could thus be in the same place as the data, downloaded, that is, in a direction common to the two sequences and indicated as ADR-Dat-P. Then, the card sends the reader the following order: Order of download to the network Card C Appli P - Data number "n_dat" octets of sequence number n dat data This order is identical in structure to that mentioned above, with the following erence: the third case contains a parameter that specifies not only the P code of the application, but also the fact that it is data of sequence type (for the term "Data") and the number 1 of the sequence concerned. Following this command, the _APPLI table has the following values: Table TAB APPLI 14 ^ _ After this operation, the second transaction quedleya the sequence number 2 can be continued. This new transaction also needs a validation from the payment center **: a request is then sent to the security module. Suppose that the card receives at this time a validation message of the first transaction. The operating system of the card recognizes, with the help of the sequence number, that this message is concerned with -fe- ^ another "transaction than the one in progress and by reading the table _APPLI, recognizes the first transaction." To deal with it, you must load the non-executable data of the first transaction. _ Knowing that the memory location is insufficient for the two data blocks, the operating system of the card must download the data from the second transaction, then calculate the signature of the data "SGN-dat-P / 2" and inscribe them in the _APPLi table. Reader the following order: Table _APPLI ^ then has the following values: Table ^ APPLI 15 The operating system of the card then sends the reader the following order: Order of download from the network Card C Appli p - Data - number sequence number 1 n dat __ This order ers from the recharge command already described in that the third case contains a parameter that specifies not only the P code of the application, but also the fact that it is sequence type data (by the term "Data") and the number 1 of the sequence concerned. The reader receives the order and forwards it to the data bank affected in particular to the C card. The data bank looks in the file of this card for the n-dat bytes of non-executable data relative to the application P, sequence number 1. The data bank produces the following message, which is the response to the last order of the card; This answer is transmitted to the card via the reader: Card C Appli p - Data - n dat n dat data octets sequence number 2 This command ers from the -response to a recharge command already described in that the second case contains a parameter that specifies not only the P code of the application, but also the fact that it is data of sequence type (by the term "Data") and the number 1 of the sequence concerned. The operating system of the card can perform a preliminary operation according to which it verifies that the codes C, P, the sequence number and the n-dat value received are identical to those of the order issued previously. If the identity is performed, the n-dat octets received are stored in memory from the ADR-dat-P address read in the table _APPLI. Once the last octet is written, the operating system recalculates the data signature with the help of a cryptographic calculation that uses the value of the SWAP key. The recalculated signature is then compared with the value "SGN-dat-P / 1" written in table ÁPPLI. If the two values of the firm are the same, the data received from the network are considered not identical to those previously downloaded. There is then a doubt about the authenticity or integrity of the data received. The card forwards the reader an error message that indicates the receipt of data errors during the last load operation and makes it impossible to continue the transaction. If the two values are equal, the data received is considered identical to those previously downloaded by the card: the first transaction can then continue. The operating system of the card immediately updates table _APPLI when positioning the data indicator of the application P / l in "loaded".

= ~,? Table _APPLI 16 When the update of the table ^ APPLI is finished, the operating system launches the application P that will continue from the first transaction. When the first transaction is finished, the execution of the program of the application is terminated by a return to the operating system that manages the virtual memory. The operating system then recognizes the end of the sequence and decides to release the memory location corresponding to the sequence data. For this, it deletes the data "storage address", "signature" and the load / discharge indicator when "put them at zero value.

The TAB APPLI table then has the following values Table TAB APPLI 17 __ When the card _receives the validation of the second transaction, the operating system of the card recognizes, with the help of the sequence number, that this message is relative to another transaction that is not "** loaded." When the first transaction is completed, the corresponding non-executable data is no longer useful, it is not necessary to download them, it is sufficient to change the non-executable data corresponding to the second transaction, the operating system sends the following order to the reader. : Order of download from the network Card C Appli p - Data number sequence number 2 n dat In the same way as for the loading of sequence 1, the reader receives the order and forwards it to the data bank. The data bank searches, in the file of this card, the n-dat bytes of non-executable data relative to the application P, sequence number 2. The bank of data elaborates the following message that is transmitted to the card via the reader: Card C Appli p - Data - number n dat data octets sequence number 2 n dat The operating system of the card can carry out a preliminary operation according to which it verifies the codes C, P, the sequence number and the received n-dat value. If the verification is satisfied, the octets are written. Then, the operating system calculates and verifies the signature of the data. If the two values are equal, the data received is considered identical to those previously loaded by the card: the second transaction can thus continue. The operating system updates the _APPLI table when positioning the load indicator of the P / 2 application in "loaded".

Table TAB APPLI l When the _APPLI table update is complete, the operating system launches the P application that will continue the second transaction. When the second transaction is completed, the application program is terminated by a return instruction to the operating system that manages the virtual memory. The operating system to deduce that the sequence "2" is finished; the place of memory can then be released. For this, the sites, in the _APPLI table of: "storage address", "signature" and the load / unload indicator are set to zero. The table takes the following values: Table TAB APPLI 19 In this state, the operating system of the card can completely erase a line from the _APPLI table. The administration of the lines of the table _APPLI is then carried out dynamically according to the wishes. Another static method to manage the table is to decide once and for all the number of maximum executable sequences for an application: either "s" this number "s" is then transmitted during the initial application load order: the operating system reserve in the table _APPLI the place corresponding to these "s" sequences. Take for example for s the value 2. The load order of application K has the following values: This order differs from that described above in that it includes a fifth case that defines the value of the parameter s. It will be noted that the specific n-cod number of octets J relative to the application and sent by the order and the n-dat number of octets relative to each future sequence and reserved for this use. In a variation, the n-dat number of octets can not be transmitted to this state, but can be later provided to the operating system of the application card that is already loaded. Following this command, the operating system updates the _APPLI table with the following values: Table _APPLI 20 The K application can now be executed: two sequences are possible. The card can perfectly contain in virtual form several applications ~ each endowed with several sequences. For example, here is a particular configuration of the TAB APPLI table: Table TAB APPLI 21 Corresponding to this example, the card has virtually two indicated applications: K and J. The executable program of the application K_ is not in the loading area; Three "" sequences of this application, indicated as 1, 2 and 3 can be executed at the same time. When the first sequence is finished, the other two are in the course of execution. Sequence 2 is downloaded: it would be necessary to recharge it to finish it. Also, to finish sequences 2 and 3, it would be necessary to reload the executable program and the data of application K. The executable program of application J is in the loading area: this application can execute two sequences, indicated as 1 and 2, which are in the process of being executed at the same time. Sequence 2 is downloaded: failure to reload it to * finish it. From this example, we see that there is a need to manage the place of available memory well. It is necessary to occupy as much as possible the cargo area and thus avoid the most frequent orders of unloading and loading. Obviously, the consistent improvement in encrypting or encrypting the data, in addition to signing them, during the download and descrcribing them during loading / reloading, can be applied to this third improvement. _ An improvement of the initial loading procedure of an application on a card consists in introducing a signature of the application data calculated from a key of the application provider on the card. This signature allows to ensure the integrity of the application data and to authenticate the origin of this application data. The initial charge in accordance with the improvement consists of presenting the card to the application provider. You are authorized to carry out this operation in the premises of the supplier of the application. The latter introduces into the card your key. provider, the signing of the application data and the application code, "K" for example. A cardholder makes an initial charge request for application K. This request, which has been described above, can be made at his home. A method for performing the initial loading of an application is described in document FR-A-2, 748, 134. According to a variant embodiment of the invention, the applications stored on a card are not downloaded to a card. remote data bank through a network; it is the reader 20 of figure 20 who receives and stores these applications; it has a non-volatile, programmable memory for this purpose - in which "the applications are stored." The loading and unloading commands are not altered, this variant is interesting when the card is always inserted in the same reader, for example a reader located in the domicile of the card carrier Another variant embodiment of the invention uses the card reader 40 and the chip card 41 of figure 4, where the common elements with those of figure 2 bear the same references The card 41 differs from that 21 of figure 2 in that it carries an optical track 42, for example, a track for writing and reading by laser beam, as for the card reader 40, it differs from the one in that it comprises a optical track reader 43, suitable for reading and writing data on the optical track 42, linked to the microprocessor 2 and the memories 3, 4. * "*" According to the invention, the optical track 42 is used as a data bank, instead of those 23 to 25 of FIG. 1. In practice, during the download of an application from the card 41, the card transmits the download order to the reader of the card 40. The reader of the track 43 receives the data of the application and write them on the optical track 42. During a download order, the card reader activates the track reader 43 so that it takes the application data from the optical track 42: the card reader immediately transmits the data to the microprocessor 9 of the card so that it is stored in the loading area. The loading and unloading orders are, however, unchanged. In a variant, the optical track is replaced by another mass storage medium, for example a magnetic track. In the above exemplary embodiments, an application download has been described from a data processing device to the outside thereof: in the case of Figure 2, the card 21 downloads to the reader 20 or the data banks 23-25 of Figure 1; in the case of Figure 4, the data processing device constituted by the microprocessor 9 and its memories 10, 14 effect a discharge towards the optical track 42. In accordance with another variant embodiment of the invention, a data processing device effects a download between several memories of this device. For example, this data processing device is constituted by the card 21 of figure 2 and the microprocessor 9 downloads information from its memory ^ RAM 14 to a non-volatile memory "10. ~ For example, several applications K, J are stored in the non-volatile memory 10. First, the application K is executed, in this case, the work data It relative to the application K are treated in the RAM memory, while a program of the application K remains in memory no Volatile 10. These working data include in particular: - temporary work variables, which are involved in the calculations, - context variables, which allow the card to resume an interrupted application execution at a later time, - subprograms. Given, the card must execute another application J and for this, load work data Itj into the RAM If the card verifies that the free space in the RAM memory is insufficient for to receive the job data Itj, decide to stop the execution of the application K and to download work data It? of the application K in its "non-volatile memory 10. Then, it executes the application J when loading the associated ItJ work data in RAM After the execution of the application J, the card resumes execution of the application K, in the place where it has been interrupted, when loading the working data It again in RAM memory. ~ In this last variant of the invention, the loading and unloading commands are not used, because the data processing device concerned it has not provided an external device to carry out the loading and unloading operations of its memories It still has a table _APPLI, but it is simplified in relation to the table 2 cited above: the parameter "data signature" is deleted. , the data does not leave the data processing device, they do not have the risk of being altered during its downloading.In the above, the decision-making, by the card, of the download of a data set after an order received by the load card from another data set. It is nevertheless remembered that the invention also covers the case where the order received by the card in order to execute another operation different from the loading of a set of operations. For example, a particular treatment asks that the card it may require a memory location greater than the space currently available in the memory of the card: in particular it may be a cryptographic calculation. In this case, the card will decide to download a set of data to be able to execute this operation. "Another example is where the order received by the card is an execution order of a K application that has been previously downloaded from the card. The card must then reload this application to execute it: if the place of memory is insufficient for this recharge, the card will decide to reload another application J, then carry out the reloading of the application K. It is stated that, in relation to this date, the The best method known to the applicant for carrying out said invention is that which is clear from the present description of the invention.

Claims

CLAIMS Having described the invention as above, the content of the following claims is claimed as property: 1. A chip card comprising data processing means and data storage means or main information memory means, characterized in that the processing means comprise: means for detecting, during the operation of the chip card, that the data storage means or main memory means contain an amount of information such that the execution of an operation is not possible; means for selecting, in the data storage means or main memory means, a set of data to be downloaded, win the download can release in the main memory means a sufficient space to authorize the execution of the operation; - means for downloading the data set to be downloaded into secondary memory storage media, in the case w the secondary memory means do not contain the data set to be downloaded.
2. The chip card according to claim 1, characterized in that it comprises a stored load table ( -APPLI) in the main memory means and that it includes a storage indicator indicating, for at least one data set, whetit is stored or not in the main memory means, such that, when the processing means must have access to the data set, they consult the storage indicator and in a first case w the storage indicator indicates that the data set is stored, the treatment means access it; or . ^ - in a second case w the storage indicator indicates that the data set is not stored, the processing means sends a load order of this data set to the main memory means.
3. The chip card according to claim 2, characterized in that the storage indicator comprises a "loaded" state indicating that the corresponding data set has been loaded on the chip card from the memory means. secondary and a "downloaded" state that indicates that the secondary data set has been downloaded by the chip card in the secondary memory media. >
4. The 2chip card according to claim 1, characterized in that it comprises a load table stored in the main memory means and that includes a modifying indicator that indicates, for less a set of data eñ w a first version has been loaded in the chip card from the secondary memory means, if this first version has been modified or not in the chip card, in such a way that, when this set data must be downloaded from the secondary memory media, it is not actually downloaded more than if this first version has been modified.
5. The chip card according to claim 1, characterized in that it stores at least one data set in two parts, namely a subset of application data containing a program of general operating data of an application and a subset of sequence data containing particular data defining a particular session of operation of the application and comprising means for detecting that several data sets possess a same subset of application data and different respective sequence data subsets, in such a way that it stores not more than once the subset of application data in the main memory means and associates tto each of the subsets of sequence data. ~ 6.
The chip card according to claim 5, characterized in that it comprises: means for detecting, during its operation, that the main memory means contain an amount of data such that the complementary storage of a subset of sequence data to be stored, associated with a subset of already stored application data, is not possible; - means for selecting, in the main memory means, a subset ^ of sequence data to be downloaded, associated with the same subset of application data, wherein the download may release a sufficient space in the main memory means to authorize storage of the subset of sequence data to be stored; - means for downloading this subset of the secondary memory means, in the case where the secondary memory means do not contain the subset of sequence data to be downloaded and - means for storing in the main memory means the subset of sequence data to store.
The chip card according to claim 5, characterized in that it comprises a load table stored in the main memory means and that includes, for each subset of stored application data, a maximum number of associated sequences, which can be stored in the main memory media.
8. The _chip card according to claim 5, characterized in that it comprises means for loading into the main memory means a data set previously downloaded from the secondary memory means.
9. The chip card according to claim 8, characterized in that it comprises a load table stored in the main memory means and that includes, for at least one data set processed by the device, a first signature of this set of data calculated by the processing means before the eventual downloading of the information set, with a signature key stored in the main memory means, the processing means are provided to calculate a second signature of the recharged data set, to compare this second signature with the first, to validate the recharge of the data set in the case where the two signatures are identical and to invalidate the recharge of the data set in the case where the two signatures are different.
10. A memory management process for a chip card comprising data processing means and data storage means or main memory means, characterized in that it comprises the steps consisting of: - detecting, during the operation of the chip card, that the main memory means contain a amount of data such that the execution of an operation is not possible; T - selecting, in the main memory means, a set of data to be downloaded, wherein the download can release in the_ main memory means a sufficient space to authorize the execution of the operation; - downloading the data set to be downloaded to the secondary memory means, in the case where the secondary memory means do not contain the data set to be downloaded.
11. The process according to claim 10, characterized in that it comprises the steps consisting of: X ~ detecting, during the operation of the chip card, that the main memory means contain a quantity of data such that an additional storage from a given set of previously downloaded data is possible; - reload the downloaded data set in the main storage media.
The process according to claim 10, characterized in that it comprises the steps consisting of: 2 - detecting, during the operation of the chip card, that the main memory means contain a amount of data such that a complementary storage of a given set of previously downloaded data is not possible; - - selecting from the main memory means, a set of data to be downloaded, wherein the download can release in the main memory means a sufficient space to authorize the storage of the previously downloaded data set; - downloading the data set to be downloaded to the secondary memory means, in the case where the secondary memory means do not contain the data set to be downloaded and - - recharging the previously downloaded data set in the main memory means.
13. The process in accordance with the claim 10, characterized in that the secondary memory means comprise a data bank distant from the chip card and linked thereto by a data transmission network.
The process according to claim 10, characterized in that the secondary memory means belong to a data processing device cooperating with the chip card. Jr. *
15. The process according to claim 10, characterized in that the secondary memory registers belong to the chip card.
16. A communication protocol between a chip card and a chip card reader, the card comprises data processing means and main information memory means, characterized in that it comprises the "steps consisting of: - the reader transmits to the card an order to execute an operation; - - the card searches if, to execute this operation, it has a sufficient place in the main memory means; "" - if affirmative, the card executes the operation, then transmits an execution summary to the reader; - in the negative case, the reader selects from the main memory means a set of data to be downloaded where the download can release in the main memory means a sufficient space to authorize the execution of the operation, then the card downloads the data set to be downloaded to the secondary memory means and transmits a download command to the reader, in the case where the secondary memory means do not contain the data set to be downloaded, then execute the operation and then finally transmit a summary of execution to the reader.
17. The protocol ^ according to claim 16, characterized in that the operation is a load of a set of data to be stored, the steps consist of: ***** - the reader transmits to the card a load order of the data set to be stored; ^ - the card searches if, to execute this loading order, it has enough space in the main memory means; - - - in the affirmative case, the card executes the jarga command and then transmits an execution summary to the reader; - if not, the card: - transmits to the reader an order to suspend the load; "_ selecting in the main memory means a set of data to be downloaded, wherein the download can release in the main memory means a space sufficient to authorize the execution of the load order; the secondary memory means ^ when transmitting a download order to the reader, in the case where the secondary memory means do not contain the data set to be downloaded; ^ _ - transmits to the reader an order for resumption of the load; - = É_ - executes the load and then transmits an execution summary to the reader.
18. The protocol according to claim 16, characterized in that the execution order of an operation consists, for the reader, of triggering or driving a power supply to the card. *