DESCRIPTION
TITLE
Mobile Intelligent Memory (MIM) unit with removable security key
TECHNICAL FIELD The present invention relates generally to a device for the management and security of large data files in a hand held unit with a removable security key for additional physical security.
BACKGROUND ART For many chip card applications, smart cards are the technology of choice for securing sensitive data and performing security functions such as validation, authentication, and non-repudiation. For many applications they are considered the most convenient technology to provide secure access to a range of service applications. They are also physically robust, relatively tamperproof, inexpensive, very secure and socially accepted. However, there are many limitations: First, the data storage capacity is, and will remain limited. Second, their data processing speed and the suitability for many multiapplications is limited. Third, there are limited opportunities for card holders to access a smart card reader. Smart card technology is also limited because there are limitations on the operating systems and applications. Smart card functionality is not flexible: Smart cards can perform only operating system functions stored in the Read Only Memory (ROM) during manufacturing - and possibly some
additional functions which are stored in the Non- Volatile Memory (NVM) during the initialisation stage. Smart cards are not able to accommodate executable codes which may be loaded by the different applications. Smart card configuration is also inflexible: At present, multiapplication smart cards are managed and issued by a single organisation (issuer) . An issuer generally creates access privilege control, divides NVM among the different uses, and loads data specific to the user. These functions are completed during initialisation that is required before the card can be used. Thus, the configuration and data storage functions cannot be altered during the life of the card. These are constrained by the small NVM, and the lack of memory management facilities for inter-application security.
On the other hand, there are a wide range of data storage devices that offer large memory capacity - but with little or no security. At present the portable data storage market is undergoing rapid expansion with a range of new innovative technologies capable of retaining data - and with some security. For example, CD ROMs, diskettes, PCMCIA memory cards, Zip and tape drives, optical disc technologies. These devices contain only passive memory with little or no internal memory management functions. Memory management is also inflexible. However, no one has conceived of, or manufactured a device which achieves the full set of operational objectives which can be met according to the set of claims of this invention. The said MIM device offers enhanced capacity, superior security,
interoperability and management flexibility all within the confines of a small hand-held and physically robust unit .
Currently there are many possible applications that require more memory capacity and flexibility than is available in a smart card. In comparison to smart cards, the PC card (as defined by the Personal Computer Memory Card Industry Association - PCMCIA) has been developed to provide high memory storage capacity - but with less security. Other one card systems have also suffered from limitations that have continued to inhibit their ability to meet new demands. However, recent developments on a number of fronts mean that a new generation of more flexible, secure chip card technologies, such as the said MIM device, can now be conceived and developed.
DISCLOSURE OF INVENTION
For the purposes of understanding the specific claims embodying this invention, and operational requirements, the following definition has been adopted: 'A Mobile Intelligent Memory (MIM) device comprises a method and apparatus for a palm-size flexible, high security, large capacity data storage and management unit(s) with access secured by a physically removable electronic agent (s) or key(s). A MIM device can be used to provide a flexible and small form factor unit used for the secure transmission, receipt, storage, management and mobility of large (or small) data files.'
The owner of the said invention can store information on a single small palm-sized unit that is 'unlocked' with a physically separate electronic 'secure key' . Security key(s) - or agent (s) - can include (but are not limited to) smart cards, and emerging new security agents such as biometric auto-ID units. The said invention can also be interfaced with a range of peripheral devices such as a PC via a PCMCIA card interface, a floppy disc drive, a GSM handset via a SIM card interface, or by remote EM communications links. This means that the said invention can offer several consumer or corporate services. For example, it can be used as: a personal information manager (PIM); Internet downloading/uploading facility; email/voice mail message repository; voice memo for logging thoughts; video or image capture/storage; secure person-to-person communications; and global positioning system.
This means, that a MIM device can be manufactured in several forms. Additional hardware and software features might also be incorporated to improve utility for some applications. The owner of a MIM device can also have the option to store unsecured data in the MIM memory with the use of an electronic secure key remaining optional. However for the protection of more sensitive files, the owner may select and configure the MIM device access rights so that the files can only be accessed with one or more nominated secure keys/agents.
Additional security for validation and authentication might also be added (eg. finger print, or PIN use) . The owner is therefore able to have more flexible and
personal control over the information storage and management. One MIM device may be configured to be accessed by one or more secure keys; and conversely, one secure key may be configured to have access and security management privileges for one or more MIM devices.
The MMU(s) can be designed to accommodate many of the anticipated characteristics of the MIM housing including: large memory storage space, fast data transfer rates, ineroperability and low power consumption. This also means for example, that the MMU(s) could be standardised to be interfaced with GSM handsets, as well as a range of field data collection or medical instruments. Other potential MIM hosts, such as digital TV reception sets and public information booths might also be considered at a future time. The MMU(s) therefore has three complimentary roles within the MIM unit: (1) to serve as an intermediary between the host which provides commands to the MIM, and the MU(s) which is able to serve these commands; (2) to manage and control the sequence of exchanges occurring between the MMU(s), the host and the secure agent (s); and (3) to share the security of the MIM unit with the secure agent (s). The MU(s) will be responsible for storing data and will consist of two main parts: a physical manager; and the memory storage area. The MU(s) will each require a physical manager for the smart card and MMU interfaces, as well as the memory storage area.
The said invention represents a significant new personal chip technology with the following set of operational advantages: portability (pocket or palm size); physically robust; flexible and high level of security and tamperproof; large data storage capacity; compatibility with existing and emerging technologies; new and improved method of offline archiving of data; and offering an alternative way for individuals to manage, secure, store or transmit sensitive files and communications with one or more other compatible MIM device owners. The role of the said invention is determined by the conditions of use and privileges afforded by the associated secure key. To now, no device has been able to combine all of these advantages in a small secure and flexible form factor device using known or emerging technologies.
BRIEF DESCRIPTION OF DRAWINGS These and other objects, features and advantages will be understood from the following brief description of an embodiment given solely by way of example, illustrated by the accompanying drawings wherein:
Figure 1 is a block diagram of the unit structure according to the present invention;
Figure 2 shows one possible example of a block diagram of the architecture according to the invention; and,
Figure 3 illustrates one possible form of a MIM device and its operational use according to the present invention.
PREFERRED EMBODIMENTS It will be understood that the specifications and examples used are illustrative but not limitative to the present invention and that other embodiments within the spirit and scope of the invention will suggest themselves to those skilled in the art.
Referring to Figure 1 it can be seen the architectural components of one form of the said device include: a CompactFlash (TM) memory storage unit (MU) (1) , a Memory
Management Unit (MMU) unit (2) , smart card secure key
(3), a PC host (4), a PCMCIA interface (5), and smart card interfaces (6,7). At least one authorised smart card (3) is needed to access the MU (1), and the MMU (2) is required to manage a unique directory to be shared only by the authorised cards (3) . In one form of the invention a PCMCIA bus connection (5) links the MIM to the host PC (4). This interface (5) has also been designed and standardised for a wide range of peripheral devices which include most of the anticipated characteristics of the MIM: reduced size; fast data transfer rates; universal use; and low power consumption. In one form, the said device is composed of three main operational layers: Memory; Logical Memory Manager; and the Supervisor. The memory can be flash memory which needs a few special features. The physical memory manager will take into account timing and format problems that will characterise the chosen technology. The logical memory manager will be responsible for controlling the relationship between the physical memory and the file memory unit. The MMU will contain a garbage
collector and a directory which will describe each file according to its location, size and common attributes. A supervisor which will be responsible for the overall activity of the MMU and communications with the smart card (3) and the PC (4). In particular, the supervisor will be responsible for managing the security of the memory.
Referring to Figure 2, one example of the unit architecture according to the said invention is shown.
This architecture is given by way of example for the sole purpose of showing the flexibility of a system for implementation. In this form, the link between the PC
(8) and the MMU can be a parallel 32 bit connection (9) and as fast as the memory can accept. The link between the MMU and the memory will depend upon the architecture and type of memory (10) used (eg. CompactFlash). Although it is necessary for the smart card (11) and the PC (8) to exchange commands, there will be no direct link for this architecture in this form of the invention. To simplify the design requirements, a supervisor will manage incoming messages according to the protocol suite and the attributes of the messages themselves. Thus, much of the security and the flexibility of the MIM will rely upon the protocols between the individual units. The PC (8) will be used for the user to initiate card commands. The smart card
(11) will verify the security conditions and then send a command to the supervisor for execution of access control. Access will only be granted by the supervisor
if it recognises the presence of an authorised smart card (11) . To maintain and enhance the high level of security that can be offered by a smart card, the MMU will be required to manage a unique directory to be shared only with the use of an authorised smart card(s). A PCMCIA bus connection will form the only physical link between the host PC from which inquiries are initiated, and the MIM unit (12) . The memory storage area in this example could consist of two main volumes: One area classified as 'Public' that can be readily accessed and used without the need for a smart card. This unprotected area can be used for backup, storage and management of less sensitive information. The other is to be classified as 'Private' and secured using the smart card (11) . The file configuration and access privileges can be selected, configured and dynamically managed during the lifetime of the MIM card and according to the needs of the MIM card owner. The link between the smart card and the MU, and between the smart card and the MMU, could be a 2-way single channel interaction using the smart card's bidirectional serial I/O port. Use of a second smart card I/O port might be considered at a future stage. In this form of the said invention, the smart card will not be required to cipher data. However, the option to cipher data for transmission could be an added option to secure person-to-person communications between partner MIM units. The main role of the smart card is to manage access to the MU private volume in cooperation with the MMU. In one form of the said device, this can be done by making available to the MU, the specific set of secure keys (interfaces) required to
find and retrieve the data contents of a file. The specific set of operations required is known only to the smart card.
Referring to Figure 3 one example of the physical form and use of the said invention by an individual is shown. The owner (s) of the information stored in the MIM housing (13) is/are responsible for the portability, physical storage and access to the MIM containing the data, as well as the specific 'electronic key' (14) required to access the information. The owner (s) of the information is/are therefore able to have more personal control over the creation of higher levels of physical and personal trust in the security of the system. This invention also makes it possible for one 'electronic key' (14) to be configured so that access to information on one or many MIM units can be enabled. Conversely, it is also possible for one or many 'electronic keys' be enabled to provide access to information stored in a single MIM unit. A bio-identifier such as a thumb/finger imprint may also be added to the MIM housing (13), to increase the level of security by ensuring that the user of the unit is authorised (authentication) . For very high security levels, the protocol may require a thumb/finger imprint after the secure key is inserted into the MIM unit to validate and authenticate the user and secure key prior to initiating requests from the PC (15) . If the user and the secure key are accepted, then the user can initiate inquiries, read and write files to the MIM device in a secure environment. After use, the user may remove the MIM device (13) from the PC (15),
SUBSTTnJTE SHEET (Rule 26) (RO/AU)
then remove the secure key (14) from the MIM housing (13) for separate safe physical storage of both component parts. The MIM interface shown by way of example in Figure 3 meets PCMCIA/JEIDA standards and is designed to interface with an MS-DOS file structure within a Windows (TM) environment. The secure key is a smart card (SC) . That is, this form of a MIM device will be of the same physical dimensions as a PC card (Type II or III) and designed to interface with a PC card reader housed in a personal computer (PC) - or other host. An International Standards Organisation (ISO) smart card will be able to be inserted/removed from the MIM card housing. CompactFlash (TM) could be used for storage in the MU. Time stamping modules, biometric identifier information and audit management functions might also be added to enhance the security of the MIM card. The MIM unit will also require the smart card to co-operate with the MMU to protect the MIM against anticipated hardware attacks. Although it will be necessary for the smart card and the PC to exchange commands, there will be no direct logical or hardware link for this architecture. To meet the design requirements, the supervisor of the MMU will manage incoming messages according to the protocol suite and chosen attributes of the messages. Thus, much of the MIM unit's security and flexibility will rely upon the exchange protocols occurring between the individual units. The structure of the file management will be issued by the security model that will create the appropriate groups according to the security requirements of the application designer rather than by an alternative model, such as a tree
that does not necessarily match with the real needs of the application. The commands used are also an important consideration with several options that might be considered. In one example, any profile of operational privileges can be produced by a five bit word [eg. READ- FILE (RF) : bit 0; READ-ONCE (RO) : bit 1; UPDATE (UP) : bit 2; WRITE-FILE (WF) : bit 3; DELETE (DEL): bit 4]. One form of the said invention might add three bits for the domain manager: One for the permission to CREATE a file, the second for the permission to DISCARD a file, and the third one to act on domains [eg. CREATE-FILE (CF) : bit 5; DISCARD-FILE (DF) : bit 6; CREATE-DOMAIN (CDD) and DISCARD-DOMAIN (CDD) : bit 7] . Some other commands can be useful but they are not necessarily compatible with the existing ones. We consider that the application manager may benefit from a combination of some of them in different ways rather than use an enlarged vocabulary of commands. It will also be necessary to incorporate a set of security management commands. For example, the following set might be used:
G-GRANT Grant security access rights.
R-REVOKE Revoke security access rights.
H-HIDE To hide reference to a file in the MIM directory displayed on the PC's monitor; and RH-REVEAL HIDDEN Reveal a previously hidden MIM file so that it will be seen in the MIM directory displayed on the PC's monitor.
CS-CHANGE SECURITY Change security access requirements. For example, the user can choose to add, remove or alter the access conditions for a certain file (or group of files) . To alter the level of security the following
SUBSTlTUTE SHEET (Rule 26) (RO/AU)
might be possible security management options for a particular smart card: PIN, bio-identifier, electronic signature or a password. A-AUDIT Manage and access audit functions.
To create a MIM device, two different approaches are required: The application design and the technical arrangement; which converge to provide a basis for the design and manufacture of a new palm-size information system with advantages over existing portable data storage units.
To achieve the above stated physical and functional advantages over previously known portable data storage units, one significant architectural feature is the extension of 'electronic key' security to all components of the MIM unit. What is also different is the logical use of the component parts and protocols enabling the unit goals to be achieved. The proposed architecture is also flexible - thus making it possible for more than one model design capable of meeting the operational requirements. The internal architecture of the chosen 'electronic key(s)' to secure the architecture, will also play an essential role in the MIM.
An object-oriented model could offer modularity and clearly defined interfaces for defining services to achieve the set operational objectives. A direct consequence is the ability to dynamically and securely download code that the owner can manage. The owner can add or remove services and configure the MIM to provide
electronic and physical information protection and functionality. If data is uploaded to the MIM memory as objects, then the interfaces could be composed of the necessary set of object operations.
According to one form of the said invention, application drivers may also be packaged and sold in a number of ways: For example, they may be sold with pre- personalised smart cards - with the secure key set already in the ROM mask. Standard MIM cards with
•application driver can also be packaged and sold with smart cards, and the key creation and management package for the user to manage. MIM ROMs can also be produced and personalised if required. They can also be produced 'blank' without a smart card to secure access. In this form, the owner may continue to use a pre-existing secure key for new MIMs or MIM ROMs purchased. The MIM ROM units produced without the need for a smart card can incorporate security features to ensure that the information has not been altered in any way and to be able to audit usage. For example, movies, software application files, educational multimedia files and a range of other information can be purchased by the user for later use. This can be useful in the corporate environment where software use needs to be managed or in the family where access to certain contents might need to be restricted to minors or siblings.
The following provides a summary of some of the operational advantages which can be achieved though the application of one form of the said invention:
Portability: A MIM card is palm (or pocket) sized and can be easily carried by the owner.
Mobility: A MIM card can be carried in the pocket of the owner and potentially used in a range of hosts including corporate network terminals, GSM handsets, public access booths or private laptop PC hosts. Physically robust: A MIM unit is to be made using component parts that are physically very robust. Physically robust microchips for the MIM unit are now becoming available and these can be housed within the confines of a hard protective casing.
Large capacity: The MIM memory can be manufactured to store 4 G bytes of data - possibly up to 10G bytes within the next few years. Interoperability: One preferred form of MIM interface will meet PCMCIA/JEIDA standards and designed to interface with an MS-DOS file structure. The secure key of choice will be a smart card (SC) and the MIM card will be designed to interface with a PC card reader housed in a personal computer (PC) . The MIM card will therefore be compatible with existing and emerging technologies and applications.
User flexibility: The MIM file and security management scheme are designed to ensure that the user can configure and use the MIM card to meet individual or corporate goals.
Improved data storage and archiving: The MIM card offers users a new secure method of storing and archiving large amounts of sensitive compared to existing online distributed or centralised storage systems.
High level of security: The MIM card will be designed to have the highest possible level of security according to the selected options within the smart card and the additional security features that might be added to the MMU/MU and/or secure key unit(s). The security options can be managed by an individual/corporate card owner (s). Greater individual freedom: The MIM card offers 'individuals' more degrees of freedom and control because the owner can actively and dynamically manage the card to meet their own particular mode of behavior. This is important as there are few IC card applications with personal flexibility.
Application independent: The MIM card will return files to the owner in the format of the application that created it within a PC host (or other) . This means that the MIM is application independent, even though the MIM requires its own software application to be created and some additional software/hardware features may be added. Ease-of-use : The MIM user interface will be designed to ensure that the MIM card is managed using an external command set and security management scheme that is analogous to that of many other PC-applications that currently exist. This is to ensure familiarity and 'ease-of-use' for the novice MIM user. Security advantages: A significant contribution can arise from the approach to be used for the development of the security of a MIM system. In the MIM card, the role of the smart card as a secure agent is fundamentally different to previous one-card systems . The software and hardware approach to be used enables a secure environment to be created which is suitable for
the integration of multiple applications, as well as bypassing the computational bottleneck that occurs if all sensitive data and associated computations are to be fully supported by a single unit. Much of the security of the MIM card will depend upon the range of protocols between the individual units that can be implemented according to the claims of the invention.
INDUSTRIAL APPLICABILITY The following examples of applications are intended to be illustrative but not limitative of the present invention and that other embodiments or uses within the spirit and scope of the invention will suggest themselves to those skilled in the art.
For some individuals, the said invention may be considered to be a convenient way of securely storing and managing personal data files - either at work or at home. For example, at home the MIM could be used to digitally store videos, games or journal subscriptions downloaded from the Internet - or to archive digital family 'snap shots' . Several family members could manage access to files such as 'snap shots' or games. In turn, these could be easily carried to another home for use. A compact and physically robust MIM card also offers a convenient method of storing a large range of multimedia/entertainment files. For the educational or entertainment field, a MIM ROM might also be produced as a convenient form of access and storage of video material. The cost of producing a MIM ROM would also be considerably less than the cost of producing a
re-usable MIM card. Yet, other individuals may use a MIM as a secure and robust file backup system with little or no security required for many files. The MIM offers a more physically robust, cost effective, and lightweight alternative to the ZIP drive for example. However, the same individual may also want the option of securing access to more sensitive information on the 'private' section of the MIM memory unit. This option and additional flexibility is also available.
Currently there are many applications in the healthcare industry that require much more memory than is available in a smart card, and which must use other technologies - with a significant loss in security. There are numerous examples to illustrate this point. For example, the healthcare industry often requires images to be digitally stored and secure (eg. X-rays and echography records) . In the future, it is anticipated that continuous measurements such as realtime electrocardiogram data, or to realtime reactions to injections or electrical stimuli according to a complex mathematical protocol may need to be stored in a more accessible and flexible way. Some existing smart card applications in healthcare also pose problems which can be met by a MIM unit. Another example in healthcare where a MIM card could play an important role is in managing accumulated patient data for critically ill patients admitted to Casualty. It is here where unnecessary time delays can result in fatalities. The goal would be to improve the access to primary care diagnostic information that is necessary during the
treatment of critical admissions. The said invention can be used to dramatically improve the time and accuracy limitations of existing record and information systems now in use in some hospitals. In this scenario, the MIM card is able to save time, provide more immediate, complete, integrated information which can be quickly shared among authorised medical staff. The most significant patient benefit is the security, completeness and integration of patient data files during the first few hours of emergency care. The MIM card also ensures that the data cannot be altered in any way during this critical time. Patient files may be backed up at any time on a centralised system if required.
Another application is in the management of access and payment for Internet services - or future broadband ISDN services. A MIM using an object-orientation will be an ideal interface between the user requesting a service and the large number of potential Internet service providers. Secure payment can also be an easily added feature by ensuring that the MIM smart card is SET enabled. Electronic articles, videos, games, music and images can all be downloaded onto a MIM, whether they attract a fee or not. The main benefit here is that the identity of the individual requesting the service can also be validated if required. For anonymity, there may be no need for the MIM card holder to be known, but the MIM is still able to store downloaded information.
Many consumers regularly accessing vending machines or services currently use smart cards. However, the periodic collection of records describing transaction details cannot be stored on a smart card because of its limited capacity - and data transfers need to be secure and portable. The management data storage unit will require at least the same level of security as that offered by the consumers' smart cards. A similar problem also exists for smart card applications designed for periodically collecting data from various sites such as gas and electricity meters, or automatic toll payment systems on freeways. The utility of military 'dog tags' based on smart card technology could also be expanded and improved if larger amounts of data could be secured and more flexibly managed using a MIM card. The corporate office might also benefit. For example, in many corporations, certified software can pose a logistic problem. Distributing and updating the more sensitive applications is not always possible through a network and people often tend to use more and more diskettes - with little or no security. The video services industry could also benefit. If for example, a person wishes to download a video to a MIM card, they could then manage the access and use of the video with a smart card. Bill payment, video piracy and customer service access rights could all be better managed by the video service provider because of the security features and flexibility of a MIM card. It is also possible for the MIM card to be used as a medium for confidential file exchange - with or without the use of encryption.