WO1999013612A1 - Procede servant a charger des commandes dans le module de securite d'un terminal - Google Patents
Procede servant a charger des commandes dans le module de securite d'un terminal Download PDFInfo
- Publication number
- WO1999013612A1 WO1999013612A1 PCT/EP1997/004963 EP9704963W WO9913612A1 WO 1999013612 A1 WO1999013612 A1 WO 1999013612A1 EP 9704963 W EP9704963 W EP 9704963W WO 9913612 A1 WO9913612 A1 WO 9913612A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- commands
- terminal
- security module
- results
- script file
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/355—Personalisation of cards for use
- G06Q20/3552—Downloading or loading of personalisation data
Definitions
- the present invention relates to a method of loading commands in the security module of a terminal. More specifically, the present invention relates to the controlled loading of data in the security ⁇ module of a smart card operated terminal by means of the execution of commands .
- Terminals such as vending machines or public telephones , often comprise a security module for securely storing usage data.
- payment data is e.g. the number of times the terminal has been used, the amount of money spent by consumers at the particular terminal, or the number of telephone metering pulses the (telephone) terminal has collected.
- a security module which is usually mechanically and/or electronically protected against abuse, comprises electronic memory means (such as counters and EEPROM) for registering payment data and for storing keys.
- a security module may further comprise processing means for processing data, such as usage data.
- processing means normally comprise a microprocessor running programs consisting of commands stored in the security module. The processing often comprises the cryptographic protection of the usage data in order to prevent fraud.
- An example of a security module and its use is disclosed in US Patent 5 572 004 (Raimann) , which patent is incorporated by reference in this text.
- US patent 4 972 478 discloses a cryptographic circuit connected with external programming equipment which may perform an execution test to verify that the cryptographic circuit accurately performs its cipher algorithm. How this execution test is performed, and which results are transferred to the external programming equipment, is not disclosed. Said patent does not deal with a smart carl operated " ⁇ ⁇ terminal .
- US patent 5 495 571 discloses a method for parametric testing of a function programming interface.
- a testing plan invokes the function with different parameter values and it is tested whether the function returns appropriate error codes .
- Said patent does not deal with the controlled loading of data and commands. Also, said patent does not deal with a smart card operated terminal.
- the present invention provides a method of loading commands in a security module of a terminal, the method comprising the steps of: a station transferring the commands to the terminal via a transfer means, the terminal transferring the commands to the security module, - the security module executing the commands , the terminal recording results of the executed commands , and the transfer means transferring the results to the station.
- the station may be a remote terminal management agency.
- the transfer means may e.g. be a telephone line or a (special purpose) card which is inserted into the terminal.
- the commands are transferred to the terminal as part of a script file, the terminal extracting the respective commands from the script file and passing them to the security module.
- the script file contains information allowing the selective recording of results, i.e. allowing the results of some - -commands to be registered, while the results of other commands are not registered. This makes it possible to control the loading of certain " — commands into the security module by requiring the proper execution of the previous command, while allowing other commands (e.g. commands of which the results are unpredictable) to be loaded without imposing a restriction.
- the terminal substantially only transfers the commands to the secure module, the terminal is effectively transparant with respect to the commands. This makes the terminal substantially independent of the particular security module used.
- Fig. 1 schematically shows a terminal in which the method of the present invention may be used
- Fig. 2 schematically shows an example of the structure of a script file containing commands to be loaded.
- Fig. 3 schematically shows an example of the structure of a log file containing results of commands .
- Fig. 4 shows a flow diagram representing the processing of commands in a security module according to the present invention.
- the embodiment shown schematically and by way of example in Fig. 1 comprises a terminal 1, connected via a telecommunications link 3 with a station (terminal management center) 4. As will be explained below, the station 4 may serve both to make script files and to verify the functioning of the terminal 1.
- the terminal 1 comprises at least one security module 2 which during normal use of the terminal 1 communicates with a smart card 5.
- the terminal 1 further comprises a processor 6 connected with an associated memory (RAM and/or ROM) 7 , an I/O (input/output) unit 8, and the security module 2.
- the I/O unit is connected with the telecommunications link 3, which is e.g. a subscriber line of a public telephone network (PSTN) or a link of a computer network.
- PSTN public telephone network
- the security module 2 may comprise a processor, a memory, an I/O unit and an associated card reader/writer (not shown) for interfacing ' with the IC card (smart card) 5.
- a security module normally is a physically and/or cryptographically protected unit for se ⁇ curely ⁇ ⁇ ⁇ storing data relating to the use of the terminal, e.g. transaction data such as monetary balances .
- a script file is made in the station 4.
- the script file which will further be explained with reference to Fig. 2, contains the commands to be loaded and executed, thus effecting a data transfer to and/or from the security module 2.
- the terminal 1 verifies the origin of the commands, i.e. the terminal checks whether the commands were produced by or at least sent by the station 4.
- This verification which serves to prevent fraudulent modifications of the contents of the security module, may be effected by comparing a received MAC (message authentication code) with a MAC calculated by the terminal.
- MAC message authentication code
- a script file 10 may contain a header and a number of records, each record comprising a type field Ti (e.g. Tl) , a command field Ci (e.g. Cl) and a result field Ri (e.g. Rl) .
- the result field Ri may be empty, as will be explained later.
- a command may contain data to be written in the memory of the security module, such as a key for encrypting usage data. However, a command may also contain an instruction to be executed by the security module 2.
- a suitable format of the commands Ci i ranges from 1 to 4 in Fig. 2) is e.g. disclosed in the IS07816-4 standard.
- the type field Ti allows different types of commands to be distinguished.
- three different types of commands can be distinguished, resulting in three different types of command handling by the terminal.
- a first type of command has an associated expected result or response R.
- This type of command is preferably loaded one by one in the security module , the terminal comparing the actual result Ri ' with the expected result Ri and stopping the loading if a discrepancy, i.e. a mismatch between Ri and Ri' occurs. With this type of command it is " possible to perform a controlled loading of the security module and to check the proper functioning of the security module while loading. ⁇ ⁇
- a second type of command is not accompanied by an expected response (i.e. the response field Ri may be empty).
- the terminal preferably registers the actual responses .
- This type of command allows a test of the security module to be performed, especially in the case where an unknown type of security module (of which the responses are not completely known in advance) is used. The results may be entered in a log file which can be collected later. Thus an off-line processing of the commands is possible.
- a third type of command is loaded into the security module and executed without taking the result into account. That is, the result of this type of command is not registered by the terminal.
- commands may comprise memory contents, a status (e.g. indicating a failed write operation) , and/or a smart card command.
- the said commands may thus effect a data transfer to and/or from the security module .
- the terminal extracts the commands from the script file and passes them to the security module.
- the terminal is passive with respect to the commands, it is active with respect to the script file in that it extracts the commands from the file and derives its mode of operation (check result/no check) from the type fields contained in the script file.
- the script file thus comprises information which influences the functioning of the terminal with respect to the script file and the commands derived from it.
- the script file may comprise only a single command. However, the size of the script file may vary and is limited only by the amount of memory available in the terminal. It can also be envisaged that the script file contains commands in a compressed and/or cryptographically protected form.
- FIG. 3 an example of a so-called log file is shown.
- the file 20 comprises a file header and a number of data fields .
- the actual results of commands are stored during or after the processing (logging of the results) .
- the data fields shown contain a first result Rl 1 of a first executed command and a second result R2' of a second executed command.
- these actual results Ri' may be compared with " "expected results Ri or may be processed in another way.
- the flow diagram of Fig. 4 represents by way of example an " ⁇ embodiment of the method of the present invention.
- the diagram comprises an initialization step 100, denoted "Start", in which a command or a script file containing commands is transferred from the station 4 to the security module 2 of the terminal 1 (cf. Fig. 1) .
- the command is loaded into the processor of the security module 2, e.g. by extracting the command from the script file.
- the security module re-calculates the message authentication code of the command, resulting in an actual (recalculated) code MAC.
- this actual code MAC is compared with the received code MAC. If the codes are equal, the received code MAC is considered authentic and the procedure continues with step 104. If the codes are not equal, the procedure exits via an appropriate exit routine (not shown) , which may generate an error message.
- step 104 the type of the command is determined by reading the type (Ti) of the command (cf. Fig. 2) and is temporarily stored. Then, in step 105, the command (Ci) is executed by the security module and the results (Ri 1 ) are temporarily stored. In steps 106 through 108 the security module determines if and how the results are going to be processed.
- step 106 If, in step 106, the type equals I (first type), the procedure continues with step 112, in which the expected result (Ri) is read from the script file (cf. Fig. 2) to be compared with the actual result (Ri') in step 113. If, in step 113, the results are equal, the procedure continues with step 109, else the procedure exits (incorrect result). If the type does not equal I, the procedure continues with step 107.
- step 107 the procedure continues with step 114 in which the actual result (Ri 1 ) is registered, e.g in the log file of Fig. 3. If the type does not equal II , the procedure continues with step 108.
- step 108 If, in step 108, the type equals III (third type), the procedure continues with step 109. If the type does not equal III, the procedure exits (incorrect type).
- step 109 and 110 the security module checks whether the end of the script file has been reached. If the end of the file is - detected in step 110, the procedure terminates in step 111, e.g. by closing and transmitting the log file (if appropriate). If the end of ⁇ the script file has not yet been reached, the procedure continues with step 101, in which the next command is loaded.
- the procedure set out above is given by way of example only.
- the checking of the message authentication code, or of any other data protecting code could be carried out by performing an inverse calculation of the code instead of a re-calculation as set out in steps 102 and 103.
- the results of executed commands are preferably registered by storing these in the memory of the security module.
- the results may be stored in the memory (7) of the terminal.
- a log file may be stored in the terminal memory (7) before transmitting the file to the station (4) or transferring the file to a smart card (5) .
- a script file may also be stored in the terminal memory (7) , each command being loaded into the security module in step 101 of the above procedure.
- the method of the present invention allows both a flexible loading of data in the security module and a remote check of the functioning of the security module.
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- Computer Networks & Wireless Communication (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Priority Applications (8)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP97909248A EP1013029A1 (fr) | 1997-09-09 | 1997-09-09 | Procede servant a charger des commandes dans le module de securite d'un terminal |
HU0004101A HUP0004101A3 (en) | 1997-09-09 | 1997-09-09 | Terminal and method of loading commands in the security module of the terminal |
IL13395497A IL133954A0 (en) | 1997-09-09 | 1997-09-09 | Method of loading commands in the security module of a terminal |
NZ501677A NZ501677A (en) | 1997-09-09 | 1997-09-09 | Verification of loading of commands in the security module of a terminal |
JP2000511281A JP2001516907A (ja) | 1997-09-09 | 1997-09-09 | 端末の安全保障モジュールへのコマンドのローディング方法 |
CA002295887A CA2295887A1 (fr) | 1997-09-09 | 1997-09-09 | Procede servant a charger des commandes dans le module de securite d'un terminal |
PCT/EP1997/004963 WO1999013612A1 (fr) | 1997-09-09 | 1997-09-09 | Procede servant a charger des commandes dans le module de securite d'un terminal |
AU47023/97A AU749396B2 (en) | 1997-09-09 | 1997-09-09 | Method of loading commands in the security module of a terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP1997/004963 WO1999013612A1 (fr) | 1997-09-09 | 1997-09-09 | Procede servant a charger des commandes dans le module de securite d'un terminal |
Publications (1)
Publication Number | Publication Date |
---|---|
WO1999013612A1 true WO1999013612A1 (fr) | 1999-03-18 |
Family
ID=8166742
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP1997/004963 WO1999013612A1 (fr) | 1997-09-09 | 1997-09-09 | Procede servant a charger des commandes dans le module de securite d'un terminal |
Country Status (7)
Country | Link |
---|---|
EP (1) | EP1013029A1 (fr) |
JP (1) | JP2001516907A (fr) |
AU (1) | AU749396B2 (fr) |
CA (1) | CA2295887A1 (fr) |
HU (1) | HUP0004101A3 (fr) |
IL (1) | IL133954A0 (fr) |
WO (1) | WO1999013612A1 (fr) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104834286B (zh) * | 2015-03-30 | 2017-07-11 | 北京经纬恒润科技有限公司 | 一种重编程方法、系统、重编程设备及电子控制单元 |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4777355A (en) * | 1986-12-24 | 1988-10-11 | Mitsubishi Denki Kabushiki Kaisha | IC card and system for checking the functionality thereof |
GB2205667A (en) * | 1987-06-12 | 1988-12-14 | Ncr Co | Method of controlling the operation of security modules |
EP0368752A1 (fr) * | 1988-11-09 | 1990-05-16 | CP8 Transac | Système de téléchargement sécurisé d'un terminal et procédé mis en oeuvre |
US4972478A (en) * | 1989-07-03 | 1990-11-20 | Motorola, Inc. | Soft logic cryptographic circuit |
FR2657445A1 (fr) * | 1990-01-25 | 1991-07-26 | Gemplus Card Int | Procede de chargement de programmes d'application dans un lecteur de carte a memoire a microprocesseur et systeme destine a sa mise en óoeuvre. |
EP0588339A2 (fr) * | 1992-09-18 | 1994-03-23 | Nippon Telegraph And Telephone Corporation | Méthode et dispositif pour régler des comptes bancaires à l'aide de cartes à circuit intégré |
US5495571A (en) * | 1992-09-30 | 1996-02-27 | Microsoft Corporation | Method and system for performing parametric testing of a functional programming interface |
EP0707290A1 (fr) * | 1994-10-11 | 1996-04-17 | Cp8 Transac | Procédé de chargement d'une zone mémoire protégée d'un dispositif de traitement de l'information et dispositif associé |
EP0825739A1 (fr) * | 1996-08-15 | 1998-02-25 | Koninklijke KPN N.V. | Procédé de chargement de commandes dans un module de sécurité d'un terminal |
-
1997
- 1997-09-09 AU AU47023/97A patent/AU749396B2/en not_active Ceased
- 1997-09-09 HU HU0004101A patent/HUP0004101A3/hu unknown
- 1997-09-09 IL IL13395497A patent/IL133954A0/xx unknown
- 1997-09-09 CA CA002295887A patent/CA2295887A1/fr not_active Abandoned
- 1997-09-09 JP JP2000511281A patent/JP2001516907A/ja active Pending
- 1997-09-09 EP EP97909248A patent/EP1013029A1/fr not_active Withdrawn
- 1997-09-09 WO PCT/EP1997/004963 patent/WO1999013612A1/fr not_active Application Discontinuation
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4777355A (en) * | 1986-12-24 | 1988-10-11 | Mitsubishi Denki Kabushiki Kaisha | IC card and system for checking the functionality thereof |
GB2205667A (en) * | 1987-06-12 | 1988-12-14 | Ncr Co | Method of controlling the operation of security modules |
EP0368752A1 (fr) * | 1988-11-09 | 1990-05-16 | CP8 Transac | Système de téléchargement sécurisé d'un terminal et procédé mis en oeuvre |
US4972478A (en) * | 1989-07-03 | 1990-11-20 | Motorola, Inc. | Soft logic cryptographic circuit |
FR2657445A1 (fr) * | 1990-01-25 | 1991-07-26 | Gemplus Card Int | Procede de chargement de programmes d'application dans un lecteur de carte a memoire a microprocesseur et systeme destine a sa mise en óoeuvre. |
EP0588339A2 (fr) * | 1992-09-18 | 1994-03-23 | Nippon Telegraph And Telephone Corporation | Méthode et dispositif pour régler des comptes bancaires à l'aide de cartes à circuit intégré |
US5495571A (en) * | 1992-09-30 | 1996-02-27 | Microsoft Corporation | Method and system for performing parametric testing of a functional programming interface |
EP0707290A1 (fr) * | 1994-10-11 | 1996-04-17 | Cp8 Transac | Procédé de chargement d'une zone mémoire protégée d'un dispositif de traitement de l'information et dispositif associé |
EP0825739A1 (fr) * | 1996-08-15 | 1998-02-25 | Koninklijke KPN N.V. | Procédé de chargement de commandes dans un module de sécurité d'un terminal |
Also Published As
Publication number | Publication date |
---|---|
EP1013029A1 (fr) | 2000-06-28 |
AU4702397A (en) | 1999-03-29 |
IL133954A0 (en) | 2001-04-30 |
HUP0004101A3 (en) | 2003-05-28 |
JP2001516907A (ja) | 2001-10-02 |
AU749396B2 (en) | 2002-06-27 |
HUP0004101A2 (hu) | 2001-05-28 |
CA2295887A1 (fr) | 1999-03-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US5856659A (en) | Method of securely modifying data on a smart card | |
KR900005212B1 (ko) | 패스워어드를 변경할 수 있는 ic 카아드 | |
US4907271A (en) | Secure transmission of information between electronic stations | |
EP0858644B1 (fr) | Systeme et procede pour charger des applications dans une carte a puce | |
US20030014643A1 (en) | Electronic apparatus and debug authorization method | |
US20020010856A1 (en) | IC, IC-mounted electronic device, debugging method and IC debugger | |
US7246375B1 (en) | Method for managing a secure terminal | |
CZ287424B6 (en) | Method of protected execution of transaction by making use of electronic means of payment | |
WO1999064996A1 (fr) | Carte a circuit integre prechargee et procede d'authentification d'une telle carte | |
GB2358500A (en) | Programming data carriers | |
US6641045B1 (en) | Portable electronic device with self-diagnostic function | |
US6052783A (en) | Method of loading commands in the security module of a terminal | |
US8041938B2 (en) | Alternatively activating a replaceable hardware unit | |
US7464260B2 (en) | Method for alternatively activating a replaceable hardware unit | |
US7113592B1 (en) | Method and device for loading input data into a program when performing an authentication | |
AU749396B2 (en) | Method of loading commands in the security module of a terminal | |
US8020773B2 (en) | Method for personalizing chip cards | |
NZ501677A (en) | Verification of loading of commands in the security module of a terminal | |
US9183160B2 (en) | Integrated circuit board with secured input/output buffer | |
JPS61151793A (ja) | Icカ−ド機密保持方式 | |
CZ440399A3 (cs) | Způsob nahrávání příkazů do bezpečnostního modulu terminálu | |
Haneberg | Electronic ticketing: a smartcard application case-study | |
MXPA99011648A (es) | Metodo para operar una terminal de seguridad | |
CZ16897A3 (cs) | Způsob a zařízení pro placení z čipových karet s burzovní funkcí |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AL AM AU AZ BA BB BG BR BY CA CN CU CZ FI GE GH HU IL IS JP KE KG KP KR KZ LC LK LR LS LT LV MD MG MK MN MW MX NO NZ PL RO RU SD SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1997909248 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: PV1999-4403 Country of ref document: CZ |
|
WWE | Wipo information: entry into national phase |
Ref document number: 501677 Country of ref document: NZ |
|
ENP | Entry into the national phase |
Ref document number: 2295887 Country of ref document: CA Ref country code: CA Ref document number: 2295887 Kind code of ref document: A Format of ref document f/p: F |
|
NENP | Non-entry into the national phase |
Ref country code: KR |
|
WWP | Wipo information: published in national office |
Ref document number: PV1999-4403 Country of ref document: CZ |
|
WWP | Wipo information: published in national office |
Ref document number: 1997909248 Country of ref document: EP |
|
WWR | Wipo information: refused in national office |
Ref document number: PV1999-4403 Country of ref document: CZ |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 1997909248 Country of ref document: EP |