WO2000079382A2 - Procede et systeme pour effectuer un controle de securite d'un fichier de description d'un dispositif intelligent - Google Patents

Procede et systeme pour effectuer un controle de securite d'un fichier de description d'un dispositif intelligent Download PDF

Info

Publication number
WO2000079382A2
WO2000079382A2 PCT/US2000/015688 US0015688W WO0079382A2 WO 2000079382 A2 WO2000079382 A2 WO 2000079382A2 US 0015688 W US0015688 W US 0015688W WO 0079382 A2 WO0079382 A2 WO 0079382A2
Authority
WO
WIPO (PCT)
Prior art keywords
dictionary
application
response
logic unit
digest
Prior art date
Application number
PCT/US2000/015688
Other languages
English (en)
Other versions
WO2000079382A3 (fr
Inventor
Augustin Farrugia
Original Assignee
Thinkpulse, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thinkpulse, Inc. filed Critical Thinkpulse, Inc.
Priority to AU54706/00A priority Critical patent/AU5470600A/en
Publication of WO2000079382A2 publication Critical patent/WO2000079382A2/fr
Publication of WO2000079382A3 publication Critical patent/WO2000079382A3/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading

Definitions

  • the present invention relates to the field of smart devices. More particularly, the present invention relates to the field of application software used in connection with a smart device.
  • FIG. 1 is a block diagram of a conventional smart device system (1).
  • a smart device (2) is in communication with a terminal (3).
  • Application software that runs on the terminal (3) is often referred to as an "application” (4).
  • Applications (4) interfaces with the terminal hardware (5) through an Application Programming Interface (API) (6).
  • the API is assembled of smart device interfaces that support applications.
  • the API runs on top of a layer of software (not shown) which interacts directly with the terminal hardware. Examples of such layers include the Open Card Framework (OCF) layer, the Personal Computer to Smart Card (PC-SC) layer, and the SunTM initiative layer.
  • OCF Open Card Framework
  • PC-SC Personal Computer to Smart Card
  • SunTM initiative layer the SunTM initiative layer.
  • Application software for processing data on the smart device (2) run on the smart device and interact with the smart device hardware (8) through the smart device operating system (OS) (9).
  • the application (4) running on the terminal (3) interfaces with the applet (7) through the API (6), terminal hardware (5), and the smart device hardware (8).
  • Data is downloaded/uploaded to the smart device (2) by the terminal (3).
  • the terminal can be either of the contact or contactless type.
  • contact type smart devices contact tabs of the terminal establish communication with the smart device through physical contact with contact pads located on the smart device.
  • radio frequency (RF) is typically used to provide communication with the smart device.
  • Other contactless terminals can use optical, microwave, or other communication methods.
  • APIs are optimized to support a specific functional implementation of a particular terminal-device combination.
  • an API designed for use with a smart device functioning as an electronic purse is optimized to support those functions commonly used in implementing electronic purse applications.
  • an API designed to support loyalty award applications such as airline frequent flyer rewards program, is optimized to support those functions commonly used in implementing loyalty applications.
  • Electronic purse applications would typically not be interoperable with loyalty APIs as such APIs would not support the electronic purse functionality.
  • loyalty applications and applets are typically not interoperable with electronic purse APIs. In this manner applications intended for a given functional implementation, such as loyalty, are typically only interoperable with APIs for the same functional implementation.
  • APIs are typically optimized to work with a particular smart device from a particular manufacturer.
  • An API for a particular manufacturer's electronic purse smart device supports different application functionalities than an electronic purse API designed for another manufacturer's smart device. Additionally, even different models of electronic purse smart devices from a particular manufacturer may require a different APIs that are not interoperable with applications written for the other models of electronic purse smart devices from the same manufacturer.
  • APIs are also typically optimized to work with a particular reader. Thus, an application written for a given API may be capable of being used with a small subset of available smart devices in combination with a particular set of readers. This results in a lack of interoperability of applications written for loyalty across APIs for cards from different manufacturers and for particular terminals.
  • FIG 2 is a block diagram illustrating the architecture of a typical Java card system (10).
  • a Java card (11) is a conventional smart device that may run Java applets (12). Java applets (12) are executed by the smart card Java card virtual machine (JCVM) (13).
  • the JCNM (13) runs on top of the smart card's OS (14).
  • the OS (14) interfaces with the hardware (15) of the smart card.
  • Java applications (16) run on the JVM (17) of the terminal (18).
  • the terminal (18) is in communication with the Java card (11) can be either a contact or contactless terminal. Applications interface with the hardware of the terminal (19), the hardware of the Java card, and the Java applet through the API (20).
  • the API (20) interfaces with the application to support the functionality of the intended use of the Java card. Because of the premium on memory of the terminal, the API typically is optimized to support the functionality for the intended use of the smart card. Thus, an API optimized for electronic purse applets would typically not be able to support loyalty applications. Similarly, an API optimized for loyalty would not be able to support electronic purse applications. In this manner, the Java card has the same disadvantages of the conventional smart card architecture shown in Figure 1. Attempts to allow interoperability of applications, in either the conventional architecture of Figure 1. or the Java card architecture of Figure 2. result in a loss of supporting functions for applications written for the intended use of the card. The architectures of the presently available smart card systems force designers to make a trade off between interoperability and functionality, with most systems choosing functionality over interoperability.
  • the conventional architecture of applications and APIs also has the disadvantage that when a new smart device or terminal is introduced, often with a new functionality', existing applications often are not interoperable with an API intended for the new smart device or terminal. An API released prior to the development of the new functionality would not support new functionalities.
  • One important aspect of smart devices is their security feature that prevents unauthorized access of the applet and memory stored on the device.
  • Figure 1 is a block diagram depicting the application system architecture of a conventional smart card.
  • Figure 2 is a block diagram depicting the application system architecture of a conventional JavaTM card system.
  • Figure 3 is a block diagram of an application for the smart device including an application logic unit and an application protocol, in accordance with the present invention.
  • Figure 4 depicts the architecture of the application and linking engine, in accordance with the present invention.
  • Figure 5 is a flow chart illustrating the process implemented by the linking engine in running the application, in accordance with the present invention.
  • Figure 6 is a flow chart illustrating the process of selecting the appropriate dictionary for the hardware implementation used at the run time of the application logic unit, in accordance with the present invention.
  • Figure 7 is flow chart illustrating the process of running an application in accordance with the present invention.
  • Figure 8 is flow chart illustrating the process of running a dictionary security check in accordance with the present invention.
  • the present invention provides a linking engine for smart devices which links the logic of the application, the application logic unit, to a hardware specific description of the application, the application protocol.
  • An application logic unit is written in a conventional computer language and expresses the logic of the application without regard for the specific hardware implementation of the terminal and smart device.
  • the linking engine looks up the appropriate dictionaries corresponding to the hardware elements. Each dictionary has a boot process which, when run. outputs a predetermined response when the hardware used is the hardware the dictionary describes. In this manner dictionaries retrieved from a set of dictionaries are tested to find the dictionary appropriate for the terminal and smart device present when the application logic unit is to be run.
  • the present invention is described in the context of a specific embodiment. This is done to facilitate the understanding of the features and principles of the present invention and the present invention is not limited to this embodiment.
  • the present invention is described in the context of a smart device.
  • smart devices applicable to the present invention include, without limitation, smart cards, smart watches, smart tags, smart wristbands, and smart pendants.
  • Smart devices can be either of the processor type, where the device has the ability to run applets to process data, or of the memory type, where the device is sued to store data.
  • the present invention is described in the context of a terminal.
  • a terminal can be any computing device capable, by itself or with other devices, of communicating with a smart device. Examples of terminals include, without limitation, personal computers, server computers, hand-held computers, point of sale terminals, portable phones and communication devices, and computer networks.
  • Figure 3 is a block diagram depicting the architecture of an application program
  • application (30) in accordance with the present invention.
  • the application typically runs on a terminal in communication with a smart device.
  • Applications can be any implementation of the processing of data. Typical examples of applications include the debit functions in an electronic purse card, credit and add loyalty points in a frequent flyer program card, key generation in a security authorization card, memory retrieval in a medical history card, or security and memory functions common to many card implementations.
  • the application (30) of the present invention is segregated into two categories of software to form the application.
  • the application (30) is composed of an application logic unit (31) and an application protocol (32).
  • the application logic unit is the logic of the application, independent of the hardware implementation.
  • the application protocol is a hardware specific component of the application and provides the data and rules necessary to implement the logic of the application protocol on a specific hardware implementation.
  • Figure 4 is a block diagram of the architecture of the application logic unit (31), linking engine (33) and terminal hardware (34).
  • the application logic unit interacts with the linking engine to link an application protocol to the application logic unit.
  • the linking engine interacts with a set of dictionaries (35) containing at least one dictionary (36).
  • a dictionary (36) includes a description (37) relating to the terminal hardware (34) and to the smart card hardware (not shown). More particularly, the dictionary includes a series of verbs (not shown). The verbs are described in the body of the dictionary, the description being the definition of the verb. The definition of the verb is the hardware specific component of the application.
  • the set of dictionaries (35) are specified in a boot file (38). The boot file is used by the linking engine (33) in testing the dictionary to determine whether that dictionary is the appropriate dictionary for the smart device and terminal present at the run time of the application.
  • the appropriate dictionary is used as the application protocol which, when linked to the application logic unit, provides the hardware specific component of the application
  • Figure 5 is a flow chart of the process the linking engine utilizes in running an application.
  • the linking engine has been established and the application logic unit has initiated a boot check request prior to step (40), as described below in connection with Figure 7.
  • the linking engine waits for an indication that a smart device is in communication with the terminal.
  • the linking engine proceeds to step (41) to initiate a compatibility test for the dictionary to use as the application protocol.
  • the process of selecting a dictionary for use as the application protocol is described below in connection with Figure 6.
  • the linking engine receives from the application protocol selection process the identifier of the compatible dictionary to use as the application protocol.
  • the dictionary corresponding to the identifier is used as the application protocol.
  • the linking engine then proceeds to step (43) to wait for a method call from the application logic unit.
  • the linking engine In response to a method call from the application logic unit the linking engine proceeds to step (44) to look-up the method in the application protocol.
  • the linking engine determines whether a verb corresponding to the method exists in the application protocol. If the verb does not exist, the linking engine returns to step (44) to wait for a method call from the application logic unit. If the verb does exist in the application protocol, the linking engine proceeds to step (46) where the linking engine retrieves the definition from the application protocol and links the definition to the method call from the application logic unit. The linking engine then uses the verb's definition at step (47) in executing the method call from the application logic unit. The description in the application protocol of the hardware is used to generate responses to the method call. The responses generated at step (47) from executing the method call according to the rules and data of the definition are then returned to the application logic unit at step (48). The linking engine returns to step (43) to wait for a method call from the application logic unit.
  • the linking engine may return a critical fault to the application logic unit in response to any condition which jeopardizes the proper execution of the application logic unit.
  • the conditions which may give rise to a critical fault include the absence from the application protocol of a critical definition, absence from the application protocol of critical rules or data, absence of critical data from the application logic unit being passed to the method call, problems with the data used in the method call, or an inappropriate responses to executing the method call.
  • the conditions that trigger a critical fault are included in the application protocol.
  • Figure 6 is a flow chart illustrating the process used by the linking engine in selecting a dictionary for use as the application protocol with a given terminal and smart device.
  • the linking engine receives a boot check request, or dictionary selection request, from an application logic unit.
  • the linking engine retrieves a list of potentially compatible dictionaries.
  • the list of potentially compatible dictionaries includes those dictionaries specified as potentially compatible with the application logic unit, the terminal and the smart device. More preferably, the dictionaries included on list of potentially compatible dictionaries are pre-selected to include dictionaries that are compatible with the terminal and application logic unit. In such a case, the list of dictionaries is inclusive of all the dictionaries that may be needed to provide a description compatible with any smart devices available for use with the application and terminal.
  • the list of dictionaries is located on a file separate from the application logic unit.
  • This file is referred to as the boot file.
  • this file can be updated to add dictionaries, as when a new smart device is introduced, without the need to modify the application logic unit.
  • the boot file includes an address specifying where to find the dictionary.
  • the dictionary can be located on a computer accessible by the terminal through a network or Internet connection, or the dictionary can be stored in the memory of the smart device.
  • the dictionary remote from the smart device reduces the memory requirements of the smart device. Additionally, remote storage of the dictionary allows additional dictionaries to be added to the boot file without having to download dictionaries to the smart device.
  • Remote storage of the dictionary also allows the dictionary to be modified, should this deem desirable.
  • storage of the dictionary on the smart device provides additional assurance that the dictionary has not been modified, especially when the dictionary is stored in write resistant memory.
  • Storage of the dictionary on the smart device allows access of the dictionary when the terminal is not able to access a network, or the Internet.
  • a core set of dictionaries is stored on the card and an enhanced set of dictionaries is stored in a remote file.
  • the core dictionaries support the basic functionality of a given card.
  • the enhanced dictionaries provide support to additional features available for use with the card. In this manner the card provides basic support common with off-line applications, in addition to providing enhanced functionality common with on-line applications.
  • the linking engine selects one of the dictionaries listed in the boot file for compatibility testing.
  • the linking engine retrieves the dictionary selected at step (52).
  • the linking runs the boot to scan the retrieved dictionary to retrieve selected segments of the dictionary for input to the linking engine for compatibility testing.
  • the boot file provides a description of the segments of the dictionary to be scanned and used in generating the output value of the compatibility test.
  • the linking engine generates an output value based on the specified dictionary information.
  • the linking engine receives the output value from the compatibility test.
  • the output value is compared to a bootcheck value at step (56).
  • the bootcheck value is a standard value common for all smart devices.
  • the bootcheck value may be stored in the application logic unit, the boot file, or the dictionary. If the output value is the same as the bootcheck value the linking engine adds the dictionary corresponding to the output value to a list of compatible dictionaries at step (57). The linking engine then proceeds to step (58). If at step (56) the output value is not the same as the bootcheck value the linking engine proceeds to step (58) without adding the dictionary corresponding to the boot to the compatible dictionary list.
  • the linking may generate a plurality of output values based on the boot file, the output values being dependent on the smart device.
  • the linking engine receives the output values from the compatibility test. The output values are compared to the corresponding bootcheck values at step (56). If the output value is the same as the bootcheck value corresponding to the same functionality being tested the linking engine adds the dictionary corresponding to the output value to a list of compatible dictionaries at step (57). The linking engine then proceeds to step (58). If at step (56) the output value is not equal to the bootcheck value the linking engine proceeds to step (58).
  • step (59) the lining engine checks whether all of the dictionaries listed in the boot file have been tested for compatibility. If all of the dictionaries have not been tested, the system returns to step (52). If all of the dictionaries have been tested, the linking engine proceeds to step (59). In the presently preferred embodiment of the present invention the linking engine tests all of the dictionaries and compares the output value form each dictionary against the bootcheck value. All the dictionaries having an output value equal to the bootcheck value are added to the list of compatible dictionaries.
  • the linking engine can compare the dictionaries on the list of compatible dictionaries to select which dictionary to specify as the application protocol. Selection could be based on the smallest file size of the dictionary, the most features of the dictionary, or some other criteria. Alternatively, as all of the dictionaries are suitable for use as the application protocol, the linking engine may select any of the dictionaries from the list at random. This selection process, by any suitable process, is performed at step (59). At step (60) the linking engine returns the identifier of the dictionary selected for use as the application protocol to the application logic unit.
  • Figure 7 is flow chart illustrating the process of running an application in accordance with the present invention.
  • the application logic unit begins the process of creating a virtual smart device by creating a profile for the dictionary.
  • the application logic unit establishes the linking engine to run on top of any software layer which interacts with the terminal hardware.
  • the linking engine is stored on the terminal.
  • Step (71) makes an initial call to the linking engine.
  • the virtual smart device is created as running on top of the terminal hardware layer of software and referencing the profile for the dictionary. Creating a virtual smart device allows the application logic unit to access the linking engine to link the application logic unit to an application protocol.
  • the application logic unit initiates a boot check to find the dictionary to be used as the application protocol.
  • the boot check process is described in detail above in connection with Figure 6.
  • the dictionary selected during the boot check process is returned at step (74) and is used as the application protocol.
  • the application logic unit invokes a method call.
  • a method call can be any logical process to access or manipulate data on either the smart device or the terminal. Checking the balance in the card's electronic purse is one example of a method call. Another example of a method call is the debiting of loyalty points in a smart card.
  • the linking engine receives the invoked method call at step (43) and uses the dictionary definition of the method in running the application.
  • the linking engine runs a sequence of smart device commands. These commands output responses based on the data from the card and the dictionary.
  • the linking engine returns the responses related to the smart device commands to the application logic unit at step (48) of Figure 5.
  • the application logic unit receives the command output responses at step (76).
  • the application logic unit then continues by either invoking additional method calls, in which the process begins again at step (75), or by ending.
  • Figure 8 is a schematic diagram of the process of checking the dictionary for unauthorized changes implemented by the security manager module of the linking engine. In the preferred embodiment of the present invention the application logic unit will make a call to the linking engine to process a dictionary for a security' check.
  • the linking engine receives a request from the application logic unit for a security check of a dictionary.
  • the linking engine scans the dictionary for a security manifest.
  • the security manifest is part of the dictionary it is associated with. In scanning for the security manifest the linking engine receives a security profile for the associated dictionary.
  • the security profile is a set of rules to be applied in checking that there have been no unauthorized changes to the dictionary.
  • the security profile includes identifiers specifying the algorithm the linking engine is to use in processing the dictionary for unauthorized changes. When applied to an test character string the specified algorithm returns a unique value that cannot be produced by applying the algorithm to any other character string that is not identical to the test character string.
  • the security manifest also includes the unique value resulting from applying the specified algorithm to the corresponding segment of the dictionary, herein referred to as a verification digest.
  • the linking engine receives the security profile contained within the security manifest.
  • the linking engine sets the algorithm, or algorithms, to be used in processing the dictionary.
  • the linking engine scans the dictionary to retrieve the segments of the dictionary specified in the profile.
  • the segments of the dictionary specified by the profile are processed according to the algorithm specified at step (83) to produce an output digest.
  • the output digest resulting from applying the algorithm to the specified dictionary is compared against a verification digest corresponding to the specified dictionary segments at step (86).
  • the verification digest is the resultant output from applying the algorithm to the original dictionary segments specified in the security profile.
  • the verification digest is created and stored by the party creating the dictionary ' s security manifest.
  • any changes to the original dictionary segments specified in the security profile will produce an output digest that differs from the verification digest. If at step (86) the output digest is equal to the verification the linking engine declares at step (87) the dictionary secure for use with the application logic unit and the smart device. If at step (86) the output digest is not equal to the verification digest the linking engine declares at step (88) that the security of the dictionary has been compromised.
  • the application logic unit may proceed to request another dictionary is deemed compatible with the application logic unit, and which is declared to be secure, be selected for use as the application protocol.
  • the security manifest may include a signature, related signature algorithm, and certificate, to allow verification of the origin of the security manifest and associated dictionary.
  • the security profile may specify any segments of the dictionary to check for unauthorized tampering.
  • the profile allows seven separate segments of a dictionary to be specified. These segments include the Profile, the Signature, the ProcessName, the Member, the Process, the EventDefinition, and the EventSetting.
  • the Profile protects only the name of the profile.
  • the Signature protects only the signature tag, its attributes and any related process description, when required.
  • the ProcessName only protects all the process names and attributes included in the description of the dictionary.
  • the Member protects only the members of all processes, which include ⁇ Variable> and ⁇ TLV> for the examples listed below.
  • the Process protects only the content of all of the processes described in the dictionary.
  • the EventDefinition only protects the description of the event general description.
  • the EventSetting only protects the description of the event setting for all the processes defined in the dictionary.
  • the boot file for testing compatibility between a dictionary and the application logic unit is also provided.
  • the example application logic unit is written in JavaTM and the related application protocol and boot files are written in XML.
  • XML is chosen for its suitability in providing descriptions of the hardware implementation.
  • an example security manifest is provided which is also written in XML.
  • the line numbers (A 1, A2, A3, ...; B1,B2, B3, ...; C1, C2,
  • the Java example below of an application logic unit is for a loyalty application, as indicated by line Al.
  • This example of an application logic unit checks the loyalty points stored on the smart card, determines whether additional loyalty points are to be credited and added to the loyalty points total, and whether loyalty points are being redeemed and debited from the loyalty points total.
  • the string variable for the dictionary is created.
  • the main part of the program begins at line A190.
  • A207- A215, A226 and A232-A233 a virtual smart card is created to access the linking engine.
  • the boot file is imported to the application as an argument. The boot argument is then used at line A211 in creating the profile instance of the smart card.
  • the process of checking the boot find the appropriate dictionary is initiated.
  • the dictionary determined to be the appropriate dictionary, as described above in connection with Figure 6, is used as the application protocol.
  • the application logic unit is then free to implement the logic of the application using the hardware specific information and rules specified in the dictionary. Accordingly, at line A288 the application begins the logic of implementing a loyalty application.
  • the logic of implementing the loyalty application continues through to line A773.
  • the logic of the application includes security check methods, balance check methods, methods to redeem and award loyalty points, as well as methods to report and collect information form the cardholder and the merchant sponsoring the loyalty program
  • the application logic unit provides a security check procedure.
  • the application logic unit reads the value of the transaction for crediting loyalty points to the cardholder from line A367 through line A375.
  • the application logic unit prompts the entering of the amount of the transaction at lines A370- A372.
  • the amount of the transaction is read at line A374.
  • the example application logic unit contains four verbs: GetCardlnfo, verify, TransactionAward, and TransactionRedeem.
  • the first method call for the verb GetCardlnfo is at line A410.
  • the first method call for the verb verify is at line A657.
  • the first method call for the verb TransactionAward is at line A533.
  • the first method call for the verb TransactionRedeem is at line A576.
  • the first method call for all four of the verbs used in the application logic unit are after the application logic unit has specified the dictionary to be used as the application protocol. In this manner the definitions of the verbs in the application protocol are linked to the method in the application logic unit prior to the invocation of the method call.
  • NotSecuredPurse localPurse NotSecuredPurse. getlnstance () ;
  • A110 MemberHolder outMembers (MemberHolder) _o[0];
  • setBalance (outMembers, cardBalance) ;
  • NotSecuredPurse localPurse NotSecuredPurse. getlnstance i
  • setBalance (outMembers, cardBalance) ;
  • Profilelmpl theProfiles new Profilelmpl (xml_fllename) ;
  • runProcess "getFile", arguments, A238 theProfiles) ; ⁇ A239 A240 catch (ProfileException pe) ⁇ A241 theTerminal .
  • displayMessage ("The system has detecte ⁇ a problem.” + A242 " ⁇ nError message: " + pe . getMessage ( ) + A243 " ⁇ n XnPlease, contact your service provider.”); ⁇ A244 catch (RunProcessException rpe) ⁇ A245 theTerminal . displayMessage ("The runtime environment has detected a A246 problem. " + A247 "XnError message: " + rpe .
  • A351 desAlgonthm. encrypt (baCertificate) ;
  • A373 state AWARD_STATE
  • A421 // interface implementation provided by the Converter.
  • A422 // interface implementation provided by the Converter.
  • A425 // invocation on purpose.
  • the target of this implementation is to
  • A426 measure the A427: // correction to bring in the loyalty. java file to move from one
  • A429 // the stub implementation.
  • A431 catch ( ProflleException pe)
  • A432 theTerminal . displayMessage ("The system has detected a problem.” +
  • A436 theTerminal. displayMessage ("The runtime environment has detected a A437:problem. " +
  • cardHolderlnfo ((Variable) f dMember ( "CardHolderName”,
  • A446 responseProcess) ) .toStr gO ;
  • A447 cardHolderlnfo.trimO ;
  • A451: A452: lastTransactionAmount ((Variable) fmdMember ( "LastTransactionAmount",
  • transactionType ( (Variable) fmdMember ( "transactionType"
  • baDate ⁇ (byte) (date. get (Calendar . YEAR) - 1900),
  • A520 lAmount Integer .parselnt (theTerminal . getMessage ()) ;
  • baAmount [0] Hex. tegerToBytes (lAmount ) [1] ;
  • baAmount[l] Hex. mtegerToBytes (lAmount) [2] ;
  • baAmount [2] Hex . mtegerToBytes ( lAmount ) [ 3] ;
  • A554 state NONE STATE; // stop the state machine
  • A559 // 1 - update the amount to redeem
  • baAmount new byte [3] ;
  • baAmount[0] Hex. mtegerToBytes (lAmount ) [1]
  • baAmount [1] Hex. mtegerToBytes (lAmount) [2]
  • baAmount[2] Hex. mtegerToBytes (lAmount) [3]
  • A599 state NONE_STATE; ⁇ // stop the state machine
  • A693 * The method looks up m the response members and returns the related A694 imember
  • A708 Enumeration members responseMembers . getMemberList () ,
  • A710 Member member (Member) members . nextElement () ;
  • A712 foundMember member; ⁇ ⁇
  • baAmount new byte [3];
  • baAmount[l] Hex. mtegerToBytes (iBalance) [2]
  • baAmount[2] Hex. mtegerToBytes (iBalance) [3]
  • A741 iBalance - _ ⁇ Amount ;
  • A742 byte[] oaAmount new byte [3];
  • A743 baAmount [0] Hex. mtegerToBytes ( iBalance) [1]
  • A744 baAmount [1] Hex. mtegerToBytes ( iBalance) [2]
  • A745 baAmount [2] Hex. mtegerToBytes (iBalance) [3]
  • A746 ( (Variable) newBalance) .
  • APPLICATION PROTCOL The example of an application protocol listed below from line Bl through B803 provides the data and rules for implementing the logic of the application logic unit listed above on a GemplusTM GemXplore98TM smart card.
  • the card the dictionary is compatible with is specified at line B6.
  • This example dictionary includes definitions on four verbs: GetCardlnfo, verify, TransactionAward, and TransactionRedeem. At line B10 the verb GetCardlnfo is specified. The two method calls for the verb
  • GetCardlnfo in the example of the application logic unit, described above, are at lines A410 and A413.
  • the definition of the verb GetCardlnfo is provided at lines Bl 1 through B293.
  • Lines B15 through B57 list data for the implementation of the verb GetCardlnfo.
  • Lines B59 through B293 list the rules used in implementing the verb GetCardlnfo on the Gemplus GemXplore98 smart card.
  • the verb verify is specified.
  • the definition corresponding to the verb verify is provided at lines B295 through B326.
  • Lines B296 through B302 list data for the implementation of the verb verify.
  • Lines B303 through B326 list the rules used in implementing the verb verify on the Gemplus GemXplore98 smart card.
  • the only method call for the verb verify in the above example of an application logic unit is at line A657.
  • the verb TransactionAward is specified.
  • the definition of the verb TransactionAward is provided at lines B328 through B554.
  • Lines B332 through B377 list data for the implementation of the verb TransactionAward.
  • Lines B379 through B554 list the rules used in implementing the verb TransactionAward on the Gemplus GemXplore98 smart card.
  • the only method call for the verb TransactionAward in the above example of an application logic unit is at line A533.
  • the verb TransactionRedeem is specified.
  • the definition of the verb TransactionAward is specified at lines B295 through B326.
  • TransactionRedeem is provided at lines B555 through B785.
  • Lines B559 through B595 list data for the implementation of the verb TransactionRedeem.
  • Lines B597 through B803 list the rules used in implementing the verb TransactionRedeem on the Gemplus GemXplore98 smart card.
  • Lines B597 through B785 list the rules used in implementing the verb TransactionRedeem on the Gemplus GemXplore98 smart card.
  • the only method call for the verb TransactionRedeem in the above example of an application logic unit is at line A576.
  • the data and rules used to implement the definition of the verb is particular to the smart device, in this example a Gemplus GemXplore98 smart card.
  • Definitions for the same four verbs: GetCardlnfo, verify, TransactionAward, and TransactionRedeem, for implementation with another smart device in connection with the example application logic unit would typically have definitions that differed from the example definitions presented. The definitions could differ in either the data, the rules, or both.
  • B161 ⁇ /Response>
  • B162 ⁇ /Apdu>
  • B274 ⁇ In>"Vo ⁇ d" ⁇ /In>
  • B335:0x00"/> B336 : ⁇ Var ⁇ able Name "memoryLeft"
  • Type "byteArray" De fault
  • Type "byteArray”
  • B363: "0x2F 0x30"/>
  • B501 ⁇ /Response>
  • B502 ⁇ /Apdu>
  • B503 ⁇ /Response>
  • the example of a boot file listed below from line C 1 through line C 177 provides the data and rules for testing a dictionary for compatibility with the example application logic unit listed above.
  • the rules described in the boot file for compatibility testing allow two types of smart cards to be approved as compatible with the example application logic unit. Specifically, the example boot file allows Gemplus GemXplore98. and Gemplus GemClubTM smart cards to be scanned and approved for compatibility with the application logic unit.
  • the procedure implemented according to the rules of the boot file yields a unique, predetermined value for each of these three compatible smart cards. This unique predetermined value is returned to the linking engine as the output value of the boot process and is used to test the compatibility of the card, as described in connection with Figure 6. Additionally, the boot file includes an address where the dictionaries can be retrieved for compatibility testing.
  • the example security manifest found below from lines DI through D32 provides the data and rules for processing an associated dictionary to determine whether any changes have been made to the dictionary.
  • the algorithms are specified.
  • a secure hash algorithm (S A) is used to generate the message digest
  • DSA digital signature algorithm
  • the ProcessName principle is specified for inclusion in the verification testing.
  • the Member principle is specified for inclusion in the verification testing.
  • the EventSettings principle is specified for inclusion in the verification testing.
  • the Signature principle is specified for inclusion in the verification testing.
  • the Profile principle is specified for inclusion in the verification testing.
  • the digest is specified.
  • the signature is specified.
  • At lines DI 1 through line D27 an X509 type certificate is specified.
  • the present invention allows the creator of a dictionary to specify the level of security in the process of verifying the authenticity and integrity of the dictionary.
  • the present invention allows the creator of the dictionary to specify which parts of the dictionary cannot be modified. Accordingly, by not specifying segments of the dictionary for the security check process, these segments are open to subsequent modification.
  • the present invention has the advantage of allowing flexible customizability of authenticity and integrity verification of an associated file.
  • security manifest is presented alone, in the preferred embodiment of the present invention the security manifest will be part of its associated dictionary file.
  • D8 ⁇ D ⁇ cS ⁇ gnature>
  • Dll Certificate "X509">
  • D12 MIICOzCCApICAgPpMAkGBSsOAwINBQAwUzELMAkGAlUEBhMCVVMxE ⁇ AQBgNVBAoTCXNt
  • boot file and application protocol need not be written in the same language, as is done in the present example.
  • the present invention allows a developer of application software to write an application logic unit without concern for the particular hardware implementation of readers, computers, or smart cards.
  • the present invention retrieves the hardware specific description of the logical processes of the application logic unit.
  • the linking engine matches the identifiers specifying the hardware used, the reader, smart card and any computer, to the process called for the in application logic unit.
  • the present invention has the advantage of allowing an application developer to write applications that may be implemented on any combination of terminal or smart device with an existing dictionary for the combination of terminal and smart device.
  • the present invention reduces the burden on the memory of the terminal by allowing hardware specific portions of the application to be downloaded for a specific smart device, thereby eliminating the need to store hardware specific functional elements of the application related to the smart device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Stored Programmes (AREA)
  • Collating Specific Patterns (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un moteur de liaison assurant un procédé de mise en correspondance de la logique d'une application, décrite dans une unité logique d'application, avec la description spécifique du matériel de l'application pour le fonctionnement des applications sur les terminaux à carte intelligente. La description spécifique du matériel de l'application est contenue dans des dictionnaires. Le moteur de liaison teste les dictionnaires afin de vérifier la compatibilité avec l'unité logique d'application en exploitant un processus qui renvoie une réponse prédéterminée uniquement lorsque le dictionnaire décrit l'implantation matérielle utilisée dans ce test. Un dictionnaire émettant la réponse correcte est lié par le moteur de liaison pour fournir la description du logiciel implanté en exploitant la logique de l'application. Le moteur de liaison vérifie l'intégrité des segments du dictionnaire spécifiés dans un manifeste de sécurité. Ce manifeste spécifie, en outre, l'algorithme à appliquer aux segments spécifiés en comparant la sortie de l'algorithme à un condensé de vérification également compris dans le manifeste de sécurité.
PCT/US2000/015688 1999-06-20 2000-06-07 Procede et systeme pour effectuer un controle de securite d'un fichier de description d'un dispositif intelligent WO2000079382A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU54706/00A AU5470600A (en) 1999-06-20 2000-06-07 Method and system of performing a security check of a smart device description file

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US33697699A 1999-06-20 1999-06-20
US09/336,976 1999-06-20

Publications (2)

Publication Number Publication Date
WO2000079382A2 true WO2000079382A2 (fr) 2000-12-28
WO2000079382A3 WO2000079382A3 (fr) 2001-08-16

Family

ID=23318551

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/015688 WO2000079382A2 (fr) 1999-06-20 2000-06-07 Procede et systeme pour effectuer un controle de securite d'un fichier de description d'un dispositif intelligent

Country Status (3)

Country Link
AU (1) AU5470600A (fr)
TW (1) TW476909B (fr)
WO (1) WO2000079382A2 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4744106B2 (ja) 2003-08-06 2011-08-10 パナソニック株式会社 セキュアデバイス、情報処理端末、通信システム及び通信方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0717337A1 (fr) * 1994-12-13 1996-06-19 International Business Machines Corporation Méthode et système de distribution sécurisé de logiciels
WO1996036051A1 (fr) * 1995-05-09 1996-11-14 Smartmove (Nz) Limited Interface de carte
EP0778522A2 (fr) * 1995-12-08 1997-06-11 Sun Microsystems, Inc. Système et méthode pour générer des versions sécurisées, architecturellement dédiées et compilées de programmes architecturellement neutres
WO1998025239A1 (fr) * 1996-12-03 1998-06-11 Strategic Analysis, Inc. Procede et dispositif de formatage de carte a puce et de lecteur de carte

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0717337A1 (fr) * 1994-12-13 1996-06-19 International Business Machines Corporation Méthode et système de distribution sécurisé de logiciels
WO1996036051A1 (fr) * 1995-05-09 1996-11-14 Smartmove (Nz) Limited Interface de carte
EP0778522A2 (fr) * 1995-12-08 1997-06-11 Sun Microsystems, Inc. Système et méthode pour générer des versions sécurisées, architecturellement dédiées et compilées de programmes architecturellement neutres
WO1998025239A1 (fr) * 1996-12-03 1998-06-11 Strategic Analysis, Inc. Procede et dispositif de formatage de carte a puce et de lecteur de carte

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Thinkpulse smartX Architecture and Features Overview" -, [Online] December 2000 (2000-12), pages 1-5, XP002160758 Retrieved from the Internet: <URL:http://www.thinkpulse.com/process/hom e/smartx101/smartXarchitectureoverview2.pd f> [retrieved on 2001-02-15] *
FARRUGIA, AUGUSTIN J.: "smartX by Thinkpulse - Technology Overview" -, [Online] January 2000 (2000-01), pages 1-5, XP002160759 San Jose, CA 95110 (US) Retrieved from the Internet: <URL:http://www.thinkpulse.com/process/hom e/smartx101/smartX%20Technical%20Overview. pdf> [retrieved on 2001-02-15] *

Also Published As

Publication number Publication date
WO2000079382A3 (fr) 2001-08-16
AU5470600A (en) 2001-01-09
TW476909B (en) 2002-02-21

Similar Documents

Publication Publication Date Title
WO2000075775A2 (fr) Procede et systeme permettant de relier un fichier de description de dispositif intelligent a la logique d&#39;un programme d&#39;application
Anderson et al. extensible access control markup language (xacml) version 1.0
Buehrer et al. Using parse tree validation to prevent SQL injection attacks
Chang et al. Internal control framework for a compliant ERP system
US9396326B2 (en) User transparent virtualization method for protecting computer programs and data from hostile code
Dalton et al. Nemesis: Preventing authentication & [and] access control vulnerabilities in web applications
US9111119B2 (en) Methods, devices and data structures for trusted data
US8347380B1 (en) Protecting users from accidentally disclosing personal information in an insecure environment
Robertson et al. Static Enforcement of Web Application Integrity Through Strong Typing.
US11189804B2 (en) Organic electroluminescent materials and devices
Anupam et al. Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies.
Pandey et al. Providing fine-grained access control for Java programs
Pavlenko et al. Hierarchical approach to analyzing security breaches in information systems
TW476909B (en) Method and system of performing a security check of a smart device description file
Tuegel ‘Evaluation of prognostic and probabilistic individual aircraft tracking (P2IAT): Volume 2-experimental loading sequences
Paul et al. Comparing java and. net security: Lessons learned and missed
Rote The Largest Inscribed Triangle and the Smallest Circumscribed Triangle of a Convex Polygon
Wellington Dictionary of bibliographic abbreviations found in the scholarship of classical studies and related disciplines
Co ncoo, m
Gaines et al. Dataset associated with “Investigating the origins and evolution of a glyphosate-resistant weed invasion in South America”
LEWIS Symmetry Methods for Understanding Structures of Inorganic Functional Materials
Phiromswad A New Panel Dataset of Potential Determinants of Economic Growth
Hossain et al. An approach to secure multi-tier websites through SQL-Injection detection and prevention
CN108270569A (zh) 一种通过安全接口进行电子签章的方法及系统
Bjerregaard et al. Algorithm to compute the rank and a Cartan subalgebra of a matrix Lie algebra with Mathematica

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP