WO2001095114A1 - Controller and memory for storing and processing security software and data - Google Patents

Controller and memory for storing and processing security software and data Download PDF

Info

Publication number
WO2001095114A1
WO2001095114A1 PCT/AU2001/000317 AU0100317W WO0195114A1 WO 2001095114 A1 WO2001095114 A1 WO 2001095114A1 AU 0100317 W AU0100317 W AU 0100317W WO 0195114 A1 WO0195114 A1 WO 0195114A1
Authority
WO
WIPO (PCT)
Prior art keywords
controller
software
memory
loading
signal
Prior art date
Application number
PCT/AU2001/000317
Other languages
French (fr)
Inventor
Andrew Jamieson
Original Assignee
Mcom Solutions Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mcom Solutions Inc filed Critical Mcom Solutions Inc
Priority to AU2001239021A priority Critical patent/AU2001239021A1/en
Publication of WO2001095114A1 publication Critical patent/WO2001095114A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/1097Boot, Start, Initialise, Power

Definitions

  • This invention relates to a memory and controller device for storing and processing security software and data, and a method of storing software.
  • Electronic devices such as terminals for use in the financial payment industry are usually comprised of a hardware component and a software component . Each of these components is required for the device to operate and often each of these components requires a separate certification from the financial institution with which the terminal will communicate before the device may be deployed. Specifically, any software that handles the encryption keys of a financial institution requires a "logical security" certification, to ensure that none of these keys are able to "leave" the terminal in an unencrypted form-
  • the electronic hardware component is usually not subject to frequent change, the software component is variable between financial institutions and often requires revision to include further features or to fix problems.
  • Each modification of this software requires that another certification be preformed to ensure that the changes do not violate any of the security tenets of the financial institution.
  • changes to software or to hardware may require a recertification of the device before the device can be redeployed.
  • This problem is compounded in financial payment systems such as eftpos devices which operate by over the air communication and are portable, because the terminals are not fixed in a single location and are generally moved from place to place thereby making it easier to illegally tamper with a device.
  • the object of the present invention is to provide a memory and controller device which stores and processes security software and data and a software storage method which do not require recertification after software modifications to the device.
  • the invention in a first aspect may be said to reside in a memory and controller device for storing and processing security software and data including; a controller; at least one memory coupled to the controller; loading means for allowing security software to be loaded into the controller for storage in a memory location within the memory, and for preventing reloading or alteration of the software in the said storage location within the memory; and the controller being for outputting a control signal to the loading means in response to the software loaded into the said memory location, after loading of the software into the memory location, to disable the loading means to prevent reloading of software or alteration of the software in the said storage location of the storage means.
  • security software can be loaded into the controller for storage in the memory location and thereafter may not be reloaded or overwritten (without permission) .
  • the security software so loaded can perform all necessary storage and handling of security data such as financial institution keys, collect plain-text personal identification numbers from a key pad, and display information upon a display screen. Therefore it is possible to obtain a logical security certification on the secure software component and have this certification stand regardless of the application software (insecure software component) that is loaded.
  • the device also includes at least one secure peripheral component and wherein the controller prevents access to the secure peripheral component by anything other than the security software loaded into the storage location in the at least one memory.
  • any application software loaded into the micro-controller component is automatically covered by the logical certification of the secure software component, as it is unable to access any of the secure peripheral components without using the already certified security software.
  • the secure peripheral component includes a keypad for entry of data into the device and/or a display for displaying information to a user, and/or at least one memory location in the at least one memory.
  • the loading means includes control means for supplying a logic signal to the controller to allow loading of software into the controller in a bootloader state, switch means for maintaining the control means in the said logic state, and interrupter means for supplying a signal to the switch means to cause the switch means to change state to cause the control means to change state so that a logic signal is supplied to the controller to prevent loading of software in the bootloader state.
  • the switch means comprises a transistor and a fuse coupled to the control means for causing the control means to supply a logic low to the controller to allow loading of software in the bootloader state
  • the interrupter means comprises circuit means coupled to the controller for receiving a signal from the controller to switch on the transistor so that power flows throughs the fuse to blow the fuse thereby causing the control means to permanently supply the logic signal to the controller preventing loading of software in the bootloader state.
  • the circuit means includes a NAND gate coupled to a base of the transistor so that when a low signal is provided from the controller to the circuit means a high signal is supplied to the base of the transistor to switch the transistor on to cause the fuse to blow.
  • the switch means comprises a controller which outputs a first signal to enable loading of software and outputs a second signal to prevent the loading of software.
  • the second controller is coupled to said controller for receiving a signal from said controller when loading of software is completed to cause the second controller to provide a signal to the controller to prevent loading of software in the bootloader state.
  • the secure peripheral component is prevented from being accessed other than by the security software stored within the said memory location.
  • the controller is connected to the memory by at least one memory switch control line so that when the memory switch control line is activated to address the memory storage location which stores the security software, a signal is supplied to the security peripheral component to enable operation of the security peripheral component.
  • the security peripheral component includes a keypad and the keypad is coupled to the switching control line by at least one switch means so that when a signal is applied to address the security software the switch means is activated to enable operation of the keypad and when the security software is not being accessed the switch line supplies a signal to the switch to prevent access to the keypad.
  • the keypad includes a plurality of scan and read lines which couple the keypad to the controller, the switch comprising a plurality of transistors connected to the scan and read lines so that dependant upon the signals applied to the switching control line, the transistors are held in a state preventing operation of the scan and read lines so that the keypad is not activated or allowing operation of the scan and read lines so that the keypad is activated and signals indicative of particular key presses of the keyboard can be read by the controller.
  • the switch comprising a plurality of transistors connected to the scan and read lines so that dependant upon the signals applied to the switching control line, the transistors are held in a state preventing operation of the scan and read lines so that the keypad is not activated or allowing operation of the scan and read lines so that the keypad is activated and signals indicative of particular key presses of the keyboard can be read by the controller.
  • the at least one switch control line is connected by second circuit means to the display for enabling the display when the security software is accessed or preventing operation of the display if the security software is not accessed.
  • the second circuit means includes logic circuit means for supplying a high signal to an enable of the display when the security software is being accessed and for providing a low signal to the display if the security software is not accessed.
  • the security peripheral component includes at least one memory location for storing data, the at least one memory location being disabled from access other than via the security software by supplying a reset signal to the controller to rest the controller thereby denying access to the storage location unless the security software is being accessed.
  • the invention may also be said to reside in a memory and controller device for storing and processing security software and data including; a controller at least one memory coupled to the controller; loading means for allowing security software to be loaded into the controller for storage in a first memory location within the memory, and preventing reloading or alteration of the software in the said storage location within the memory; at least one peripheral device coupled to the controller; and wherein the controller enables loading of software and data into the at least one memory in storage locations other than the said first storage location under the control of the security software loaded into the first storage location, and the controller is for controlling operation of the peripheral device so that the peripheral device is only operable under control of the security software stored in the said first storage location.
  • the secure peripheral component includes a keypad for entry of data into the device and/or a display for displaying information to a user, and/or memory locations with at least one memory.
  • the loading means includes control means for supplying a logic signal to the controller to allow loading of software into the controller in a bootloader state, switch means for maintaining the control means in the said logic state and interrupter means for supplying a signal to the switch means to cause the switch means to change state to cause the control means to change state so that a logic signal is supplied to the controller to prevent loading of software in the bootloader state.
  • the switch means comprises a transistor and a fuse coupled to the control means for causing the control means to supply a logic low to the controller to allow loading of software in the .bootloader state
  • the interrupter means comprises circuit means coupled to the controller for receiving a signal from the controller to switch on the transistor so that power flows throughs the fuse to blow the fuse thereby causing the control means to permanently supply the logic signal to the controller preventing loading of software in the bootloader state.
  • the circuit means includes a NAND gate coupled to a base of the transistor so that when a low signal is provided from the controller to the circuit means a high signal is supplied to the base of the transistor to switch the transistor on to cause the fuse to blow.
  • the secure peripheral component is prevented from being accessed other than by the security software stored within the said memory location.
  • the controller is connected to the memory by at least one memory switch control line so that when the memory switch control line is activated to address the memory storage location which stores the security software, a signal is supplied to the security peripheral component to enable operation of the security peripheral component.
  • the security peripheral component includes a keypad and the keypad is coupled to the switching control line by at least one switch means so that when a signal is applied to address the security software the switch means is activated to enable operation of the keypad and when the security software is not being accessed the switch line supplies a signal to the switch to prevent access to the keypad.
  • the keypad includes a plurality of scan and read lines which couple the keypad to the controller, the switch comprising a plurality of transistors connected to the scan and read lines so that dependant upon the signals applied to the switching control line, the transistors are held in a state preventing operation of the scan and read lines so that the keypad is not activated or allowing operation of the scan and read lines so that the keypad is activated and signals indicative of particular key presses of the keyboard can be read by the controller.
  • the switch comprising a plurality of transistors connected to the scan and read lines so that dependant upon the signals applied to the switching control line, the transistors are held in a state preventing operation of the scan and read lines so that the keypad is not activated or allowing operation of the scan and read lines so that the keypad is activated and signals indicative of particular key presses of the keyboard can be read by the controller.
  • the at least one switch control line is connected by second circuit means to the display for enabling the display when the security software is accessed or preventing operation of the display if the security software is not accessed.
  • the second circuit means includes logic circuit means for supplying a high signal to an enable of the display when the security software is being accessed and for providing a low signal to the display if the security software is not accessed.
  • the security peripheral component includes at least one memory location for storing data, the at least one memory location being disabled from access other than via the security software by supplying a reset signal to the controller to rest the controller thereby denying access to the storage location unless the security software is being accessed.
  • the at least one memory comprises a first memory unit for storing code, and a second separate memory unit for storing data.
  • a single memory device can be employed for storing both code and data and the memory device or devices may be integrated within the controller.
  • the invention may also be said to reside in a method of storing security software in a memory and controller device, including; loading the security software into a first storage location of a memory; preventing reloading or overwriting of the security software in the first storage location; and allowing loading of additional non-secure software into storage locations within the memory other than the first storage location under the control of the security software loaded into the first storage location.
  • the loading of the non-secure software takes place subsequent to the loading of the security software.
  • the loading of the security software takes place by a bootloader state of the controller and after loading of the security software, the bootloader state of the controller is disabled to prevent reloading or alteration of software in the first storage location.
  • the method also includes a loadxng of data into further memory locations of the memory.
  • the invention also provides a method of handling banking encryption keys in a controller and memory device, including; loading a terminal master key at a manufacturing stage of the controller and memory; subsequently allowing loading of a terminal transport key and a terminal message authenticated code key; controlling operation of the terminal master key, the terminal transport key and the terminal message authenticated code key by security software; using the terminal transport key to encrypt the master key for loading into a key array; and using the terminal MAC key to generate message authenticated codes on any one or more of, secure prompts, fonts for display on a display, and secure software component code loads.
  • the invention may also be said to reside in a method of storing security software and data in a controller and memory device, including; storing security software and a key in a secure environment; subsequently allowing storage of subsequent keys loaded as determined by a specific customer of the device; the subsequent keys being encrypted under the key loaded with the security software.
  • the method includes tagging each key loaded into the controller and memory with an identification of the application responsible for its loading.
  • the identification is a assigned to the application by the security software.
  • Figure 2 shows a modification to the embodiment of Figure 1.
  • eftpos device for enabling eftpos, credit and like financial transactions to take place by the keying of price information into a keyboard, a pin number related to a purchaser into the keyboard, and the processing and transmission of that data to enable credit verification or eftpos transfer of funds from one bank account to another.
  • a micro-controller 100 preferably a VS5002 micro-controller is connected to keypad 102 by read lines 15, 17, 19 and 21 and scan lines 25, 27, 29 and 31.
  • the keypad 102 includes switches SWl to SW16 which are arranged in a matrix formation so that by providing scan signals to the abovementioned scan lines and reading signals from the abovementioned read lines a determination can be made as to which of the switches SWl to SW16 has been depressed.
  • the keypad 102 can be of the type disclosed in our co-pending Australian International patent application NO. PCT/AU00/00419 the contents of which are incorporated into this specification by this reference.
  • One side of the switches SWl to SW16 are connected to field effect transistors 104 and the other side of the switches SWl to SW16 are connected to field effect transistors 106. That is, the field effect transistors 104 are effectively connected on one side to read lines 15, 17, 19 and 21 and the field effect transistors 106 are connected on one side to scan lines 25, 27, 29 and 31.
  • the gate of the transistors 104 and 106 are connected to line 108.
  • Line 108 is connected to a logic circuit 110 which will be described in more detail hereinafter.
  • the controller 100 is connected to a first memory 120 and to a second memory
  • the memory 120 is intended to store security software for operation of the device shown in Figure 1 and the memory 130 stores security data required for operation of the device of Figure 1.
  • the security software in this embodiment includes software which handles encryption keys of a financial institution. Software which is not security sensitive is also eventually loaded into the memory 120 and data is eventually loaded into the memory 130.
  • the non- secure software and data may be loaded after manufacture and dispatch of the device to an end user which may load its own software into the device for operation of the device in accordance with its own protocols. Data of a sensitive nature such as the encrypted keys which are to be handled by the secure software may be loaded at the same time as the secure software or, because the keys are in fact encrypted, may be loaded in a non-secure environment together with the application software.
  • the controller 100 is connected to the memories 120 and 130 by data bus 131.
  • the controller 100 is also connected to a liquid crystal display 132 by data buses 133 and 134 (which are shown disconnected for ease of illustration) .
  • a bank switch 140 is also connected to the memories 120 and 130 by lines 141 and 142.
  • the bank switch 140 receives signals from lines 141 and 143 from the controller 100 which supplies signals to lines 139 and 139 ' .
  • the lines 139 and 139' and 143 and 143' are joined but are shown separate simply for ease of illustration in Figure 1.
  • output signals from the controller 100 on lines 139 and 143 are supplied to bank switch 140 so that the appropriate outputs can be applied to lines 141 and 142 to control the memories 120 and 130 so the processor 100 knows which of the memories 120 and 130 is being read from or loaded into.
  • Controller 100 has a data switch line 50 and a data switch line 51 which are coupled to NAND gate 147 of the circuit 110.
  • the NAND gate 147 has an output line 148 connected to resistor 149 which in turn connects to base of transistor 150.
  • the emitter of transistor 150 is connected to ground via resistor 151.
  • Reset line 34 of the controller 100 is also connected to the emitter of transistor 150.
  • the controller 100 also has code switch lines 58 and 60 which connect to NAND gate 153.
  • the NAND gate 153 has an output 154 which connects to inverter 155.
  • the inverter 155 has an output 156 which connects to NAND gate 157 and the output of the NAND gate 157 connects to the collector of transistor 150 by line 158.
  • the second input to NAND gate 157 is provided by code switch line 64 from the controller 100.
  • the output of the NAND gate 157 is also connected to inverter 160 by line 161.
  • the inverter 160 has an output line 162.
  • the line 161 also connects to line 108 of the keypad 102 to connect the logic circuit 104 to the keypad 102 as previously described.
  • the emitter of transistor 150 is also connected to reset line 34 of the controller 100 and program line 32 of the controller 100 is connected to an output of NAND gate 165.
  • the NAND gate 165 has inputs 166 and 167 which are connected to the collector of transistor 170.
  • the collector of the transistor 170 is also connected to line 174 which in turn is connected to a power supply 175 by fuse 177.
  • the line 174 also connects to resistor 178 which is connected to the emitter of the transistor 170 which in turn is connected to ground.
  • the base of the transistor 170 is connected to output 180 of NAND gate 181 via resistor 182.
  • the NAND gate 181 is supplied with signals from line 44 from the controller 100.
  • Output PE4 from the controller 100 also connects to an inverter 190 via lines 191a and 191b (which are joined but shown separate simply for ease of illustration) .
  • the output PE4 supplies control signals from the controller 100 to operate the display 132 depending on whether security software is being accessed as will be described hereinafter.
  • the output of the inverter 190 connects to one input of NAND gate 191 and the other input of NAND gate 191 is received from output 162 of the inverter 160 via line 162'. Lines 162 and 162 ' are, joined but are shown broken in the drawing simply for ease of illustration.
  • the output of NAND gate 191 connects to inverter 193 which in turn has an output connected to enable line 17 of the liquid crystal display 132.
  • the controller 100 includes control circuitry 195 such as a timing crystal, power supply and the like which is conventional and therefore will not be described in any detail.
  • control circuitry 195 such as a timing crystal, power supply and the like which is conventional and therefore will not be described in any detail.
  • the display 132 also has a power supply 196 which is conventional and will not be described in any detail.
  • Preset circuitry 197 is also connected to the display 132 as is conventional and therefore this will not be described in any detail.
  • the memories 120 and 130 consist of two 512 K byte random access memories.
  • the limit of memory bus 131 of 64K byte of directly accessible memory via the sixteen address lines AO to CE3 is expanded by the addition of three extra virtual address lines which are provided by lines 49, 50 and 51 which connect to lines 2, 30 and 1 of the memory 130 and lines 58, 60 and 64 which connect with lines 2, 30 and 1 of the memory 120.
  • the micro-controller 100 is able to page through the whole 512K byte of each memory 120 and 130 and is able to access 64K byte of memory within each page.
  • These pages are called banks and for convenience are named code banks 0 to 7 for the memory 120 and data banks 0 to 7 for the memory 130.
  • Code bank 0 is accessed when lines 58, 60 and 64 are low and code bank 7 is accessed when lines 58, 60 and 64 are high. Code banks 1 to 6 are accessed by line states in between these extremes. Similarly, data bank 0 is accessed when lines 49, 50 and 51 are low and data bank 7 is accessed when these lines are high. Once again, data banks 1 to 6 are accessed with signals on lines 49, 50 and 51 between these extremes.
  • the logic circuit 110 performs certain actions dependant on the state of the memory bank switching control lines 49 to 64 mentioned above.
  • the security software which is required to be loaded into the memory 120 and accessed by the controller 100 is to be loaded into code bank 7 of the memory 120.
  • non-secure software will be loaded into the other code banks 1 to 6 of the memory 120 and data will be loaded into the data banks 1 to 7 of the memory 130.
  • Only when code bank 7 is active (that is lines 48, 60 and 64 are high) is the output of NAND gate 157 low. That is line 64 is high and line 60 is high which causes NAND gate 153 to output a low signal on output 154 and inverter 155 to invert that to a high signal on output 156.
  • the NAND gate 157 is provided with two high inputs producing a low output to inverter 160.
  • the low signal from NAND gate 157 is also supplied to line 108 by line 109.
  • the field effect transistors 104 and 106 are not held on because the output on line 109 and 108 is low.
  • the keypad 120 is able to function when access code bank 7 is accessed by a high signal on lines 58, 60 and 64.
  • the display screen 132 is also able to function because the high output on line 162 is supplied to line 162 ' and when the output from inverter 190 is high NAND gate 191 produces a low output to inverter 193 which in turn produces a high output to enable line 17 of the display 132.
  • security data can be loaded into data bank 6 or data bank 7 under the control of the security software and only accessed via the security software and not by any other software which may be subsequently loaded into the device .
  • the logic circuit 110 also controls the state of program line 32 of the micro-controller 100. This line determines if the micro-controller is able to enter the hardware "bootloader" of the controller 100 that enables the loading of code. As long as the fuse 177 is in tact, the device will always enter this bootloader state when powered up. However, if fuse 177 is blown by activating transistor 170 then it is no longer possible to enter this state. Initially, high signals are applied to lines 166 and 167 from power supply 175 thereby causing a low signal to be output from NAND gate 165 to program line 32. Program line 32 is activated by a logic low and this enables the bootloader function to be activated within the controller 100.
  • trusted security code is loaded into code bank 7 of memory 120 using the hardware bootloader.
  • the security software is loaded through serial port 199 of the controller 100. Once loaded this code activates transistor 170 by supplying a low signal on fuse line 44 to NAND gate 181 so that line 180 goes high to switch on transistor 170. This causes power to be supplied through the fuse 177 to blow the fuse 177. When fuse 177 is blown lines 167 and 166 go low and the output of NAND gate 165 to program line 32 is high thus preventing the controller 100 entering the bootloader state.
  • the device shown in Figure 1 is now loaded with the security software and the device is in a state where the security software cannot be reloaded or overwritten because the bootloader is not able to function because of the high signal maintained on line 32.
  • the device with the security software loaded into it can now be supplied to outside parties for the loading of application software and data into the device.
  • code bank 7 Any future code is now loaded via the trusted code contained within code bank 7 which is designed not to permit any loading into code bank 7 but only code into code banks 0 to 6 of the memory 120. Thus, any further code loaded is not able to directly access the key pad 102, the display 132 or data banks 6 and 7 as this is prevented by the logic circuit 104 as described above. Thus, the code in code bank 7 can store any information in data banks 6 and 7 without the possibility of code in any other code bank accessing this information.
  • additional software and data such as encrypted keys, data relating to the merchant who will use the device including bank account data and the line and other data and application software to control use of the device can be loaded without corrupting or overwriting the security software in code bank 7.
  • the controller 100 can control whether the display 132 is enabled during use of the security software by outputs from output PE4 on lines 191a and 191b.
  • the invertor causes a logic high to be supplied to NAND gate 191 inverter 193 inverts the output from the NAND gate 191 so that a high signal is applied to enable line 17 of the display 132.
  • a low output is supplied to the inverter 190 from the output PE4 then a low signal will be supplied to enable line 17 to disable the display 132.
  • the display can only be enabled when a high signal is applied to the line 162' but can be disabled by the controller dependant on the output of output PE4.
  • those devices can be controlled in accordance with the security software to prevent misuse of the device.
  • the loading of the secure software into the controller results in the controller now having a secure software component that is fully contained within a predetermined location, or in other words, a predetermined address range accessible by the micro-controller, and application software that is fully contained outside of this predetermined address range i.e. in code banks other than code bank 7.
  • the logic circuit 104 is then able to prevent all access to the secure peripheral components comprised of the keyboard 102 and the display 132, accept via the secure software component, by disabling the keyboard 102 and the display 132 if they are not accessed from within the predetermined address range of the secure software.
  • the disabling of the bootloader of the microcontroller after loading of the secure software forces all other software to be loaded via the secure software component loader routine.
  • the peripheral components may also include particular data banks within the memory 130, for example data banks 6 and 7. These data banks may be used to store information or data of a secure nature such as bank encryption keys, plain text personal identification numbers etc and thus it is impossible for the insecure software component to gain access to them.
  • Figure 2 shows a second embodiment of the invention. Only the controller 100 and the modified part of the embodiment of Figure 1 is shown in Figure 2. However, it should be understood that all of the circuitry of Figure 1 is also included in Figure 2. Like reference numerals indicate like parts to those described with reference to Figure 1.
  • the fuse 177 and the associated circuitry for blowing the fuse is replaced by a second controller 200 which effectively performs the function of the fuse 177 in the earlier embodiment.
  • the second controller 200 is connected to program line 32 and also to line 44.
  • the controller 100 is able to enter the boot-loader state to load code in the same manner as previously described and in order to enable the code to be loaded the second controller 200 outputs a low signal on line 32.
  • the code supplies a signal on line 44 to the second controller 200.
  • the signal can be any logic state which will be recognised by the controller 200 as indicating that the loading of code has been completed and is now desired to disable the loading or manipulation of code.
  • the second controller 200 places the main controller 100 into the boot-loader state after checking the state of a non-volatile flag bit in the memory of the second controller 200. If the flag bit is not set, the controller 200 places the controller 100 into the loader mode by a low signal on line 32.
  • the signal on line 44 which is produced after the code has been loaded can set the flag in the second controller 200 so that when the check is made and the flag is set the controller 200 can output a high on line 32 to disable the loading-off code.
  • the controller 100 is prevented from reentering the boot-loader state.
  • security software cannot be reloaded or overwritten because the boot-loaded is not able to function because of the high signal maintained on line 32, in the same manner as described with reference to the earlier embodiment.
  • the present embodiment has the advantage that if desired, the second controller 200 can alter the high signal on line 32 to enable code to be rewritten or altered.
  • the controller 200 can receive a security signal which can be fed to the second controller 200 if it is desired to change the code so that only when that security signal is provided will the second controller 200 enable the controller 100 to reenter the bootloader state so that the code can be altered or reloaded.
  • the security signal can be supplied only by authorised personnel and which can be entered via the keyboard 102 described with reference to the earlier embodiment or by any other suitable method.
  • This embodiment obviously has the advantage that it does enable the deactivated state of the bootloader to be altered after the code is initially loaded, under security restriction requirements should that ever be necessary.
  • the secure software component is constructed and works with the logic circuit 104 to uphold certain tenets as follows;
  • the display 132 is used by the application software to provide information to the user of the device, and also to prompt for input on the keypad 102.
  • Input on the keypad 102 forms one of two types, data entry, for items such as purchase amounts, identification numbers, etc; and PIN entry, for the gathering of the customers PIN.
  • the prompts Once the prompts have been checked to ensure that none can be used for nefarious ends, they are MAC'ed by the trusted party using the terminal MAC key (note that the trusted party need not know the MAC key, just be able to generate MACs with it) . They can then be loaded into the terminal and used, with no possible security compromise.
  • a prompt file may contain the prompt, Please enter SIM ACCESS CODE'.
  • font files must also be checked by a trusted party, and MAC'ed by the terminal MAC key.
  • Access to the plain text data entered on the numeric keypad 102 is available only with a prompt and font that has a valid MAC.
  • the secure software component manages banking encryption keys in a hierarchy of four parts. This hierarchy consists of a terminal master key, a terminal transport key, a terminal MAC key, and an array within which all other keys passed to the secure software component from the insecure software component are held.
  • This hierarchy allows for a terminal to be loaded with only one key at manufacture (the terminal master key) , and then have the transport key and MAC key determined by the specific customer (financial institution), as these keys will be different for each financial institution. As no further hierarchy is enforced beyond these three keys, the individual applications are able to institute any key management scheme that is required.
  • the secure software component prevents any operations on these keys that may be used to violate the required security tenets.
  • the terminal transport key is used to encrypt the hierarchy master key of the primary financial institution application for loading into the key array.
  • the terminal MAC key is the key used to generate MACs on the secure prompt, fonts, and secure software component code loads.
  • All keys passed to the secure software component for storage must be encrypted under a key that already exists within the key hierarchy.
  • PIN's entered on the numeric keypad 102 are returned only after being encrypted into a PIN-block using one of the keys in the key table.
  • the numeric keypad is disabled.
  • Access to the display 132 is available only from the secure software, and therefore application software may only write to the display 132 via API (Application Programming
  • Access to any part of the alphanumeric keypad 102 is available only from the secure software, and therefore application software may read data from the keypad 102 via API call. Any attempt, by the application software, to read from the keypad directly will not work.
  • a key may only be accessed for use by the application software component that was responsible for the initial placement of that key within the key slot. That is to say, all keys are segmented per financial institution 'parent', and are unavailable for use to another financial institution. One exception to this is that any key may be
  • This tenet is enforced by 'tagging' each key loaded into the array with the ID of the application responsible for its loading. This ID is assigned to the application by the secure software component.
  • the primary application 'allows' other applications, by controlling access to the key array within the secure software component. If other financial institutions are not permitted access to encrypt keys under the terminal transport key, they must load their hierarchy master keys via a key already present in the key array. This key, then, must be 'given' to them by the primary application. Thus it is possible to request that the secure software component re-assign the ID on a key within the array, to enable it to be used by another application. This key then becomes the master hierarchy key of the new application

Abstract

A memory and controller device for storing and processing security software and data is disclosed which includes a controller (100) and loading means (110) for enabling software to be loaded into a storage location (120), (130). The controller provides a signal to the loader (100) when software has been loaded so as to cause the loader to place the controller into a mode where reloading or manipulation of the software in a bootloader state is prevented. The loader may include a fuse which is blown after loading of the software so as to cause a high signal to be provided to the controller in order to prevent the controller (100) from entering the bootloader state or a second controller (200) can be utilised to provide the signal to prevent the controller (100) from entering the bootloader state.

Description

CONTROLLER AND MEMORY FOR STORING AND PROCESSING SECURITY
SOFTWARE AND DATA
FIELD OF THE INVENTION This invention relates to a memory and controller device for storing and processing security software and data, and a method of storing software.
BACKGROUND OF THE INVENTION Electronic devices such as terminals for use in the financial payment industry are usually comprised of a hardware component and a software component . Each of these components is required for the device to operate and often each of these components requires a separate certification from the financial institution with which the terminal will communicate before the device may be deployed. Specifically, any software that handles the encryption keys of a financial institution requires a "logical security" certification, to ensure that none of these keys are able to "leave" the terminal in an unencrypted form-
Although, the electronic hardware component is usually not subject to frequent change, the software component is variable between financial institutions and often requires revision to include further features or to fix problems. Each modification of this software requires that another certification be preformed to ensure that the changes do not violate any of the security tenets of the financial institution. Thus, changes to software or to hardware may require a recertification of the device before the device can be redeployed. This problem is compounded in financial payment systems such as eftpos devices which operate by over the air communication and are portable, because the terminals are not fixed in a single location and are generally moved from place to place thereby making it easier to illegally tamper with a device. SUMMARY OF THE INVENTION
The object of the present invention is to provide a memory and controller device which stores and processes security software and data and a software storage method which do not require recertification after software modifications to the device.
The invention in a first aspect may be said to reside in a memory and controller device for storing and processing security software and data including; a controller; at least one memory coupled to the controller; loading means for allowing security software to be loaded into the controller for storage in a memory location within the memory, and for preventing reloading or alteration of the software in the said storage location within the memory; and the controller being for outputting a control signal to the loading means in response to the software loaded into the said memory location, after loading of the software into the memory location, to disable the loading means to prevent reloading of software or alteration of the software in the said storage location of the storage means.
Thus, according to this aspect of the invention security software can be loaded into the controller for storage in the memory location and thereafter may not be reloaded or overwritten (without permission) . The security software so loaded can perform all necessary storage and handling of security data such as financial institution keys, collect plain-text personal identification numbers from a key pad, and display information upon a display screen. Therefore it is possible to obtain a logical security certification on the secure software component and have this certification stand regardless of the application software (insecure software component) that is loaded. Thus, it is possible to change the application software, or incorporate multiple application software components and have them all execute from the one controller without violating the security of the secure software component.
Preferably the device also includes at least one secure peripheral component and wherein the controller prevents access to the secure peripheral component by anything other than the security software loaded into the storage location in the at least one memory.
Thus, according to this preferred aspect, any application software loaded into the micro-controller component is automatically covered by the logical certification of the secure software component, as it is unable to access any of the secure peripheral components without using the already certified security software.
Preferably the secure peripheral component includes a keypad for entry of data into the device and/or a display for displaying information to a user, and/or at least one memory location in the at least one memory.
Preferably the loading means includes control means for supplying a logic signal to the controller to allow loading of software into the controller in a bootloader state, switch means for maintaining the control means in the said logic state, and interrupter means for supplying a signal to the switch means to cause the switch means to change state to cause the control means to change state so that a logic signal is supplied to the controller to prevent loading of software in the bootloader state.
In one embodiment the switch means comprises a transistor and a fuse coupled to the control means for causing the control means to supply a logic low to the controller to allow loading of software in the bootloader state, and the interrupter means comprises circuit means coupled to the controller for receiving a signal from the controller to switch on the transistor so that power flows throughs the fuse to blow the fuse thereby causing the control means to permanently supply the logic signal to the controller preventing loading of software in the bootloader state.
Preferably the circuit means includes a NAND gate coupled to a base of the transistor so that when a low signal is provided from the controller to the circuit means a high signal is supplied to the base of the transistor to switch the transistor on to cause the fuse to blow.
In another embodiment of the invention the switch means comprises a controller which outputs a first signal to enable loading of software and outputs a second signal to prevent the loading of software.
Preferably the second controller is coupled to said controller for receiving a signal from said controller when loading of software is completed to cause the second controller to provide a signal to the controller to prevent loading of software in the bootloader state.
Preferably the secure peripheral component is prevented from being accessed other than by the security software stored within the said memory location.
Preferably the controller is connected to the memory by at least one memory switch control line so that when the memory switch control line is activated to address the memory storage location which stores the security software, a signal is supplied to the security peripheral component to enable operation of the security peripheral component.
Preferably the security peripheral component includes a keypad and the keypad is coupled to the switching control line by at least one switch means so that when a signal is applied to address the security software the switch means is activated to enable operation of the keypad and when the security software is not being accessed the switch line supplies a signal to the switch to prevent access to the keypad.
Preferably the keypad includes a plurality of scan and read lines which couple the keypad to the controller, the switch comprising a plurality of transistors connected to the scan and read lines so that dependant upon the signals applied to the switching control line, the transistors are held in a state preventing operation of the scan and read lines so that the keypad is not activated or allowing operation of the scan and read lines so that the keypad is activated and signals indicative of particular key presses of the keyboard can be read by the controller.
Preferably the at least one switch control line is connected by second circuit means to the display for enabling the display when the security software is accessed or preventing operation of the display if the security software is not accessed.
Preferably the second circuit means includes logic circuit means for supplying a high signal to an enable of the display when the security software is being accessed and for providing a low signal to the display if the security software is not accessed.
Preferably the security peripheral component includes at least one memory location for storing data, the at least one memory location being disabled from access other than via the security software by supplying a reset signal to the controller to rest the controller thereby denying access to the storage location unless the security software is being accessed. The invention may also be said to reside in a memory and controller device for storing and processing security software and data including; a controller at least one memory coupled to the controller; loading means for allowing security software to be loaded into the controller for storage in a first memory location within the memory, and preventing reloading or alteration of the software in the said storage location within the memory; at least one peripheral device coupled to the controller; and wherein the controller enables loading of software and data into the at least one memory in storage locations other than the said first storage location under the control of the security software loaded into the first storage location, and the controller is for controlling operation of the peripheral device so that the peripheral device is only operable under control of the security software stored in the said first storage location.
Preferably the secure peripheral component includes a keypad for entry of data into the device and/or a display for displaying information to a user, and/or memory locations with at least one memory.
Preferably the loading means includes control means for supplying a logic signal to the controller to allow loading of software into the controller in a bootloader state, switch means for maintaining the control means in the said logic state and interrupter means for supplying a signal to the switch means to cause the switch means to change state to cause the control means to change state so that a logic signal is supplied to the controller to prevent loading of software in the bootloader state. Preferably the switch means comprises a transistor and a fuse coupled to the control means for causing the control means to supply a logic low to the controller to allow loading of software in the .bootloader state, and the interrupter means comprises circuit means coupled to the controller for receiving a signal from the controller to switch on the transistor so that power flows throughs the fuse to blow the fuse thereby causing the control means to permanently supply the logic signal to the controller preventing loading of software in the bootloader state.
Preferably the circuit means includes a NAND gate coupled to a base of the transistor so that when a low signal is provided from the controller to the circuit means a high signal is supplied to the base of the transistor to switch the transistor on to cause the fuse to blow.
Preferably the secure peripheral component is prevented from being accessed other than by the security software stored within the said memory location.
Preferably the controller is connected to the memory by at least one memory switch control line so that when the memory switch control line is activated to address the memory storage location which stores the security software, a signal is supplied to the security peripheral component to enable operation of the security peripheral component.
Preferably the security peripheral component includes a keypad and the keypad is coupled to the switching control line by at least one switch means so that when a signal is applied to address the security software the switch means is activated to enable operation of the keypad and when the security software is not being accessed the switch line supplies a signal to the switch to prevent access to the keypad. Preferably the keypad includes a plurality of scan and read lines which couple the keypad to the controller, the switch comprising a plurality of transistors connected to the scan and read lines so that dependant upon the signals applied to the switching control line, the transistors are held in a state preventing operation of the scan and read lines so that the keypad is not activated or allowing operation of the scan and read lines so that the keypad is activated and signals indicative of particular key presses of the keyboard can be read by the controller.
Preferably the at least one switch control line is connected by second circuit means to the display for enabling the display when the security software is accessed or preventing operation of the display if the security software is not accessed.
Preferably the second circuit means includes logic circuit means for supplying a high signal to an enable of the display when the security software is being accessed and for providing a low signal to the display if the security software is not accessed.
Preferably the security peripheral component includes at least one memory location for storing data, the at least one memory location being disabled from access other than via the security software by supplying a reset signal to the controller to rest the controller thereby denying access to the storage location unless the security software is being accessed.
In the preferred embodiment of the invention the at least one memory comprises a first memory unit for storing code, and a second separate memory unit for storing data. However, in other embodiments a single memory device can be employed for storing both code and data and the memory device or devices may be integrated within the controller. The invention may also be said to reside in a method of storing security software in a memory and controller device, including; loading the security software into a first storage location of a memory; preventing reloading or overwriting of the security software in the first storage location; and allowing loading of additional non-secure software into storage locations within the memory other than the first storage location under the control of the security software loaded into the first storage location.
Preferably the loading of the non-secure software takes place subsequent to the loading of the security software.
Preferably the loading of the security software takes place by a bootloader state of the controller and after loading of the security software, the bootloader state of the controller is disabled to prevent reloading or alteration of software in the first storage location.
Preferably the method also includes a loadxng of data into further memory locations of the memory.
The invention also provides a method of handling banking encryption keys in a controller and memory device, including; loading a terminal master key at a manufacturing stage of the controller and memory; subsequently allowing loading of a terminal transport key and a terminal message authenticated code key; controlling operation of the terminal master key, the terminal transport key and the terminal message authenticated code key by security software; using the terminal transport key to encrypt the master key for loading into a key array; and using the terminal MAC key to generate message authenticated codes on any one or more of, secure prompts, fonts for display on a display, and secure software component code loads.
The invention may also be said to reside in a method of storing security software and data in a controller and memory device, including; storing security software and a key in a secure environment; subsequently allowing storage of subsequent keys loaded as determined by a specific customer of the device; the subsequent keys being encrypted under the key loaded with the security software.
Preferably the method includes tagging each key loaded into the controller and memory with an identification of the application responsible for its loading.
Preferably the identification is a assigned to the application by the security software.
Preferably all security code is holistic.
BRIEF DESCRIPTION OF THE DRAWINGS
A preferred embodiment of the invention will be described, by way of example, with reference to the accompanying drawing in which; Figure 1 shows a fist embodiment of the invention; and
Figure 2 shows a modification to the embodiment of Figure 1.
DESCRIPTION OF THE PREFERRED EMBODIMENT
The preferred embodiment of the invention will be described with reference to an eftpos device for enabling eftpos, credit and like financial transactions to take place by the keying of price information into a keyboard, a pin number related to a purchaser into the keyboard, and the processing and transmission of that data to enable credit verification or eftpos transfer of funds from one bank account to another.
With reference to Figure 1 a micro-controller 100 preferably a VS5002 micro-controller is connected to keypad 102 by read lines 15, 17, 19 and 21 and scan lines 25, 27, 29 and 31. The keypad 102 includes switches SWl to SW16 which are arranged in a matrix formation so that by providing scan signals to the abovementioned scan lines and reading signals from the abovementioned read lines a determination can be made as to which of the switches SWl to SW16 has been depressed. The keypad 102 can be of the type disclosed in our co-pending Australian International patent application NO. PCT/AU00/00419 the contents of which are incorporated into this specification by this reference. One side of the switches SWl to SW16 are connected to field effect transistors 104 and the other side of the switches SWl to SW16 are connected to field effect transistors 106. That is, the field effect transistors 104 are effectively connected on one side to read lines 15, 17, 19 and 21 and the field effect transistors 106 are connected on one side to scan lines 25, 27, 29 and 31. The gate of the transistors 104 and 106 are connected to line 108. Line 108 is connected to a logic circuit 110 which will be described in more detail hereinafter. The controller 100 is connected to a first memory 120 and to a second memory
130. The memory 120 is intended to store security software for operation of the device shown in Figure 1 and the memory 130 stores security data required for operation of the device of Figure 1. The security software in this embodiment includes software which handles encryption keys of a financial institution. Software which is not security sensitive is also eventually loaded into the memory 120 and data is eventually loaded into the memory 130. The non- secure software and data may be loaded after manufacture and dispatch of the device to an end user which may load its own software into the device for operation of the device in accordance with its own protocols. Data of a sensitive nature such as the encrypted keys which are to be handled by the secure software may be loaded at the same time as the secure software or, because the keys are in fact encrypted, may be loaded in a non-secure environment together with the application software.
The controller 100 is connected to the memories 120 and 130 by data bus 131. The controller 100 is also connected to a liquid crystal display 132 by data buses 133 and 134 (which are shown disconnected for ease of illustration) . A bank switch 140 is also connected to the memories 120 and 130 by lines 141 and 142. The bank switch 140 receives signals from lines 141 and 143 from the controller 100 which supplies signals to lines 139 and 139 ' . The lines 139 and 139' and 143 and 143' are joined but are shown separate simply for ease of illustration in Figure 1. Thus, output signals from the controller 100 on lines 139 and 143 are supplied to bank switch 140 so that the appropriate outputs can be applied to lines 141 and 142 to control the memories 120 and 130 so the processor 100 knows which of the memories 120 and 130 is being read from or loaded into.
Controller 100 has a data switch line 50 and a data switch line 51 which are coupled to NAND gate 147 of the circuit 110. The NAND gate 147 has an output line 148 connected to resistor 149 which in turn connects to base of transistor 150. The emitter of transistor 150 is connected to ground via resistor 151. Reset line 34 of the controller 100 is also connected to the emitter of transistor 150. The controller 100 also has code switch lines 58 and 60 which connect to NAND gate 153. The NAND gate 153 has an output 154 which connects to inverter 155. The inverter 155 has an output 156 which connects to NAND gate 157 and the output of the NAND gate 157 connects to the collector of transistor 150 by line 158. The second input to NAND gate 157 is provided by code switch line 64 from the controller 100. The output of the NAND gate 157 is also connected to inverter 160 by line 161. The inverter 160 has an output line 162. The line 161 also connects to line 108 of the keypad 102 to connect the logic circuit 104 to the keypad 102 as previously described.
The emitter of transistor 150 is also connected to reset line 34 of the controller 100 and program line 32 of the controller 100 is connected to an output of NAND gate 165. The NAND gate 165 has inputs 166 and 167 which are connected to the collector of transistor 170. The collector of the transistor 170 is also connected to line 174 which in turn is connected to a power supply 175 by fuse 177. The line 174 also connects to resistor 178 which is connected to the emitter of the transistor 170 which in turn is connected to ground.
The base of the transistor 170 is connected to output 180 of NAND gate 181 via resistor 182. The NAND gate 181 is supplied with signals from line 44 from the controller 100.
Output PE4 from the controller 100 also connects to an inverter 190 via lines 191a and 191b (which are joined but shown separate simply for ease of illustration) . The output PE4 supplies control signals from the controller 100 to operate the display 132 depending on whether security software is being accessed as will be described hereinafter. The output of the inverter 190 connects to one input of NAND gate 191 and the other input of NAND gate 191 is received from output 162 of the inverter 160 via line 162'. Lines 162 and 162 ' are, joined but are shown broken in the drawing simply for ease of illustration. The output of NAND gate 191 connects to inverter 193 which in turn has an output connected to enable line 17 of the liquid crystal display 132.
The controller 100 includes control circuitry 195 such as a timing crystal, power supply and the like which is conventional and therefore will not be described in any detail. Similarly, the display 132 also has a power supply 196 which is conventional and will not be described in any detail. Preset circuitry 197 is also connected to the display 132 as is conventional and therefore this will not be described in any detail.
The memories 120 and 130 consist of two 512 K byte random access memories. The limit of memory bus 131 of 64K byte of directly accessible memory via the sixteen address lines AO to CE3 is expanded by the addition of three extra virtual address lines which are provided by lines 49, 50 and 51 which connect to lines 2, 30 and 1 of the memory 130 and lines 58, 60 and 64 which connect with lines 2, 30 and 1 of the memory 120. Thus, by changing the state of these lines, the micro-controller 100 is able to page through the whole 512K byte of each memory 120 and 130 and is able to access 64K byte of memory within each page. These pages are called banks and for convenience are named code banks 0 to 7 for the memory 120 and data banks 0 to 7 for the memory 130. Code bank 0 is accessed when lines 58, 60 and 64 are low and code bank 7 is accessed when lines 58, 60 and 64 are high. Code banks 1 to 6 are accessed by line states in between these extremes. Similarly, data bank 0 is accessed when lines 49, 50 and 51 are low and data bank 7 is accessed when these lines are high. Once again, data banks 1 to 6 are accessed with signals on lines 49, 50 and 51 between these extremes.
The logic circuit 110 performs certain actions dependant on the state of the memory bank switching control lines 49 to 64 mentioned above. The security software which is required to be loaded into the memory 120 and accessed by the controller 100 is to be loaded into code bank 7 of the memory 120. As previously mentioned, non-secure software will be loaded into the other code banks 1 to 6 of the memory 120 and data will be loaded into the data banks 1 to 7 of the memory 130. Only when code bank 7 is active (that is lines 48, 60 and 64 are high) is the output of NAND gate 157 low. That is line 64 is high and line 60 is high which causes NAND gate 153 to output a low signal on output 154 and inverter 155 to invert that to a high signal on output 156. Thus, the NAND gate 157 is provided with two high inputs producing a low output to inverter 160. The low signal from NAND gate 157 is also supplied to line 108 by line 109. Thus, the field effect transistors 104 and 106 are not held on because the output on line 109 and 108 is low. Thus, the keypad 120 is able to function when access code bank 7 is accessed by a high signal on lines 58, 60 and 64. The display screen 132 is also able to function because the high output on line 162 is supplied to line 162 ' and when the output from inverter 190 is high NAND gate 191 produces a low output to inverter 193 which in turn produces a high output to enable line 17 of the display 132. If the output of NAND gate 157 is low the collector of transistor 150 is maintained low on line 158. Thus, if code bank 7 is not being accessed then only the key pad 102 and display 132 remain unaccessible. It is possible for the output of transistor 150 to be set high so that line 34 of the controller goes high to reset the micro-controller 100. This reset would occur if the output of NAND gate 147 is set low indicating that the microcontroller is accessing either data bank 6 or data bank 7. Thus, the controller 100 is reset if an attempt is made to access data bank 6 or data bank 7 other than by access through the secure code in code bank 7. As noted above, if an attempt is made to access data bank 6 and 7 other than via the code bank 7 then the output from the NAND gate 157 is high and the reset signal is supplied to reset line 34 thereby simply causing the micro-controller to continually reset without allowing access to data bank 6 or data bank 7. Thus, security data can be loaded into data bank 6 or data bank 7 under the control of the security software and only accessed via the security software and not by any other software which may be subsequently loaded into the device .
The logic circuit 110 also controls the state of program line 32 of the micro-controller 100. This line determines if the micro-controller is able to enter the hardware "bootloader" of the controller 100 that enables the loading of code. As long as the fuse 177 is in tact, the device will always enter this bootloader state when powered up. However, if fuse 177 is blown by activating transistor 170 then it is no longer possible to enter this state. Initially, high signals are applied to lines 166 and 167 from power supply 175 thereby causing a low signal to be output from NAND gate 165 to program line 32. Program line 32 is activated by a logic low and this enables the bootloader function to be activated within the controller 100.
During manufacture of the device, trusted security code is loaded into code bank 7 of memory 120 using the hardware bootloader. The security software is loaded through serial port 199 of the controller 100. Once loaded this code activates transistor 170 by supplying a low signal on fuse line 44 to NAND gate 181 so that line 180 goes high to switch on transistor 170. This causes power to be supplied through the fuse 177 to blow the fuse 177. When fuse 177 is blown lines 167 and 166 go low and the output of NAND gate 165 to program line 32 is high thus preventing the controller 100 entering the bootloader state.
The device shown in Figure 1 is now loaded with the security software and the device is in a state where the security software cannot be reloaded or overwritten because the bootloader is not able to function because of the high signal maintained on line 32. Thus, the device with the security software loaded into it can now be supplied to outside parties for the loading of application software and data into the device.
Any future code is now loaded via the trusted code contained within code bank 7 which is designed not to permit any loading into code bank 7 but only code into code banks 0 to 6 of the memory 120. Thus, any further code loaded is not able to directly access the key pad 102, the display 132 or data banks 6 and 7 as this is prevented by the logic circuit 104 as described above. Thus, the code in code bank 7 can store any information in data banks 6 and 7 without the possibility of code in any other code bank accessing this information.
Thus, additional software and data such as encrypted keys, data relating to the merchant who will use the device including bank account data and the line and other data and application software to control use of the device can be loaded without corrupting or overwriting the security software in code bank 7.
Only when the security software in code bank 7 is accessed and the appropriate outputs are supplied on data switch lines 49 to 51 and code switch lines 58 to 64 are the keypad 102 and display 132 activated for operation. The high signal on line 162' is required to enable the display
132 and the controller 100 can control whether the display 132 is enabled during use of the security software by outputs from output PE4 on lines 191a and 191b. Thus, if the invertor causes a logic high to be supplied to NAND gate 191 inverter 193 inverts the output from the NAND gate 191 so that a high signal is applied to enable line 17 of the display 132. However, if a low output is supplied to the inverter 190 from the output PE4 then a low signal will be supplied to enable line 17 to disable the display 132. Thus, the display can only be enabled when a high signal is applied to the line 162' but can be disabled by the controller dependant on the output of output PE4. Thus, those devices can be controlled in accordance with the security software to prevent misuse of the device.
Thus, the loading of the secure software into the controller results in the controller now having a secure software component that is fully contained within a predetermined location, or in other words, a predetermined address range accessible by the micro-controller, and application software that is fully contained outside of this predetermined address range i.e. in code banks other than code bank 7. The logic circuit 104 is then able to prevent all access to the secure peripheral components comprised of the keyboard 102 and the display 132, accept via the secure software component, by disabling the keyboard 102 and the display 132 if they are not accessed from within the predetermined address range of the secure software. The disabling of the bootloader of the microcontroller after loading of the secure software forces all other software to be loaded via the secure software component loader routine. The peripheral components may also include particular data banks within the memory 130, for example data banks 6 and 7. These data banks may be used to store information or data of a secure nature such as bank encryption keys, plain text personal identification numbers etc and thus it is impossible for the insecure software component to gain access to them.
Figure 2 shows a second embodiment of the invention. Only the controller 100 and the modified part of the embodiment of Figure 1 is shown in Figure 2. However, it should be understood that all of the circuitry of Figure 1 is also included in Figure 2. Like reference numerals indicate like parts to those described with reference to Figure 1.
In this embodiment of the invention the fuse 177 and the associated circuitry for blowing the fuse is replaced by a second controller 200 which effectively performs the function of the fuse 177 in the earlier embodiment. The second controller 200 is connected to program line 32 and also to line 44. The controller 100 is able to enter the boot-loader state to load code in the same manner as previously described and in order to enable the code to be loaded the second controller 200 outputs a low signal on line 32. When the code has been loaded the code supplies a signal on line 44 to the second controller 200. The signal can be any logic state which will be recognised by the controller 200 as indicating that the loading of code has been completed and is now desired to disable the loading or manipulation of code. Preferably the second controller 200 places the main controller 100 into the boot-loader state after checking the state of a non-volatile flag bit in the memory of the second controller 200. If the flag bit is not set, the controller 200 places the controller 100 into the loader mode by a low signal on line 32. The signal on line 44 which is produced after the code has been loaded can set the flag in the second controller 200 so that when the check is made and the flag is set the controller 200 can output a high on line 32 to disable the loading-off code. Thus, the controller 100 is prevented from reentering the boot-loader state. Thus, security software cannot be reloaded or overwritten because the boot-loaded is not able to function because of the high signal maintained on line 32, in the same manner as described with reference to the earlier embodiment.
The present embodiment has the advantage that if desired, the second controller 200 can alter the high signal on line 32 to enable code to be rewritten or altered. The controller 200 can receive a security signal which can be fed to the second controller 200 if it is desired to change the code so that only when that security signal is provided will the second controller 200 enable the controller 100 to reenter the bootloader state so that the code can be altered or reloaded. The security signal can be supplied only by authorised personnel and which can be entered via the keyboard 102 described with reference to the earlier embodiment or by any other suitable method. This embodiment obviously has the advantage that it does enable the deactivated state of the bootloader to be altered after the code is initially loaded, under security restriction requirements should that ever be necessary.
In the preferred embodiment of the invention the secure software component is constructed and works with the logic circuit 104 to uphold certain tenets as follows;
All prompts displayed on the display 132 that are used to prompt for data from the numeric keypad 102 must be vetted by a trusted party (such as the terminal manufacturer) and
MAC'ed (Message Authenticated Code) under a key that is unique to that developer/customer.
The display 132 is used by the application software to provide information to the user of the device, and also to prompt for input on the keypad 102. Input on the keypad 102 forms one of two types, data entry, for items such as purchase amounts, identification numbers, etc; and PIN entry, for the gathering of the customers PIN.
All PIN based financial transactions are based on the tenet that the customers PIN must remain secret. Therefore, when an application requests a PIN entry from the secure software component, the PIN is only returned after being encrypted by one of the keys in the array. Data entry, however, requires that the application software receives the data entered, so that it may be used by the application. To ensure that the application does not request for data entry with a prompt PLEASE ENTER PIN', all prompts used by the terminal must be vetted by a previously agreed trusted party, who holds the terminals MAC key. Once the prompts have been checked to ensure that none can be used for nefarious ends, they are MAC'ed by the trusted party using the terminal MAC key (note that the trusted party need not know the MAC key, just be able to generate MACs with it) . They can then be loaded into the terminal and used, with no possible security compromise.
All fonts that are used with secure prompts must be vetted by a trusted party (such as the terminal manufacturer) and
MAC'ed under a key that is unique to that developer/customer.
As the preferred embodiment of this invention uses a display possible of using multiple fonts (enabling multi-lingual support), it is possible that a previously vetted and trusted prompts could be made to be insecure through the use of a modified font. For example, a prompt file may contain the prompt, Please enter SIM ACCESS CODE'.
If a font file is used that has normal lower case letters, but has the upper case letter S' replaced with λP', *M' replaced with *N', and the rest of the upper case letters set to spaces, the secure prompt will then look like, ΛPlease enter PIN'.
Therefore, font files must also be checked by a trusted party, and MAC'ed by the terminal MAC key.
Access to the plain text data entered on the numeric keypad 102 is available only with a prompt and font that has a valid MAC.
The secure software component manages banking encryption keys in a hierarchy of four parts. This hierarchy consists of a terminal master key, a terminal transport key, a terminal MAC key, and an array within which all other keys passed to the secure software component from the insecure software component are held.
This hierarchy allows for a terminal to be loaded with only one key at manufacture (the terminal master key) , and then have the transport key and MAC key determined by the specific customer (financial institution), as these keys will be different for each financial institution. As no further hierarchy is enforced beyond these three keys, the individual applications are able to institute any key management scheme that is required. The secure software component prevents any operations on these keys that may be used to violate the required security tenets.
The terminal transport key is used to encrypt the hierarchy master key of the primary financial institution application for loading into the key array.
The terminal MAC key is the key used to generate MACs on the secure prompt, fonts, and secure software component code loads.
All keys passed to the secure software component for storage must be encrypted under a key that already exists within the key hierarchy.
As it is usually the financial institution that loads its individual hierarchy master key into the terminal (note that this is different from the terminal master key, as different financial institutions may have different hierarchy master keys, but the terminal only has one terminal master key) , and each subsequent key is then encrypted under this hierarchy master key, the application never actually 'sees' any plaintext key, even though it can use them for encryption operations .
PIN's entered on the numeric keypad 102 are returned only after being encrypted into a PIN-block using one of the keys in the key table.
At all times other than those mentioned above, the numeric keypad is disabled.
This prevents the application from using a none- prompt display (ie a display that does not require a previously vetted and trusted prompt) to obtain information from the keypad.
Access to the display 132 is available only from the secure software, and therefore application software may only write to the display 132 via API (Application Programming
Interface) call. Any attempt, by the application software, to write to the screen directly will not work.
Access to any part of the alphanumeric keypad 102 is available only from the secure software, and therefore application software may read data from the keypad 102 via API call. Any attempt, by the application software, to read from the keypad directly will not work.
No party can ever know the terminal Master Key (including the manufacturer of the terminal) .
No party can ever know the terminal MAC Key.
Only an agreed financial institution can have controlling access to the terminals Transport Key.
Only an agreed financial institution has controlling access to their keys in the keypad 102. No other party or application software is able to gain access to the plaintext keys, including the application software that was responsible for the placement of the key.
As stated previously, if the financial institution maintains proper controls on its hierarchy master key, then the application (not knowing this key) is unable to know any subsequent keys loaded into the terminal (as they are all loaded encrypted under a key previously entered into the table) .
A key may only be accessed for use by the application software component that was responsible for the initial placement of that key within the key slot. That is to say, all keys are segmented per financial institution 'parent', and are unavailable for use to another financial institution. One exception to this is that any key may be
'handed-over' to another financial institution application by that keys 'parent' application.
This allows for the terminal to support multiple applications designed for use with multiple financial institutions, without the possibility of one financial institution using the keys of another. Such key 'sharing' is a problem, as it allows for one application to violate the financial integrity of another application, contradicting one of the corner stones of this invention (that code can be certified as 'good' once, and not require subsequent re- certifications) . One example of such a financial integrity violation is the use of one financial institution's MAC key by an application not certified by that financial institution. The use of this MAC key would allow for the 'rogue' application to digitally sign messages, thus having the financial institution that 'owns' the MAC key accept any messages sent as valid.
This tenet is enforced by 'tagging' each key loaded into the array with the ID of the application responsible for its loading. This ID is assigned to the application by the secure software component.
The exception mentioned is used in the instances of terminals that have applications designed for use with several different financial institutions. In this instance it is common for there to be a 'primary' financial institution application, and subsequent financial institution applications may only be permitted if allowed by the 'primary' application. The primary application 'allows' other applications, by controlling access to the key array within the secure software component. If other financial institutions are not permitted access to encrypt keys under the terminal transport key, they must load their hierarchy master keys via a key already present in the key array. This key, then, must be 'given' to them by the primary application. Thus it is possible to request that the secure software component re-assign the ID on a key within the array, to enable it to be used by another application. This key then becomes the master hierarchy key of the new application
(or can be used to load this key) . Obviously, the plaintext value of this key must be given to the other financial institution, by the primary institution, in order to allow the encryption of keys under this key.
All security code is holistic; it is not possible to violate the security of the terminal by 'jumping' into the code after a security software check.
This prevents malicious application code from attempting to circumvent the security checks of the secure software component .
After PIN-block generation, the plain-text PIN is deleted.
No PIN is ever stored in the terminal after its use.
Any attempt by an application to access the firewalled file/data space will result in the terminal resetting.
Knowledge of any one (or more) of the keys within the terminal does not allow for the derivation of any of the other keys within that terminal. Subsequent keys loaded in under a known key will be necessarily known by the loader, (but may not be derived once loaded) .
Since modifications within the spirit and scope of the invention may readily be effected by persons skilled within the art, it is to be understood that this invention is not limited to the particular embodiment described by way of example hereinabove.

Claims

THE CLAIMS DEFINING THE INVENTION ARE AS FOLLOWS:
1. A memory and controller device for storing and processing security software and data including; a controller; at least one memory coupled to the controller; loading means for allowing security software to be loaded into the controller for storage in a memory location within the memory, and for preventing reloading or alteration of the software in the said storage location within the memory; and the controller being for outputting a control signal to the loading means in response to the software loaded into the said memory location, after loading of the software into the memory location, to disable the loading means to prevent reloading of software or alteration of the software in the said storage location of the storage means.
2. The device of claim 1 further including at least one secure peripheral component and wherein the controller prevents access to the secure peripheral component by anything other than the security software loaded into the storage location in the at least one memory.
3. The device of claim 2 wherein the secure peripheral component includes a keypad for entry of data into the device and/or a display for displaying information to a user, and/or at least one memory location in the at least one memory.
4. The device of claim 1 wherein the loading means includes control means for supplying a logic signal to the controller to allow loading of software into the controller in a bootloader state, switch means for maintaining the control means in the said logic state and interrupter means for supplying a signal to the switch means to cause the switch means to change state to cause the control means to change state so that a logic signal is supplied to the controller to prevent loading of software in the bootloader state.
5. The device of claim 4 wherein the switch means comprises a transistor and a fuse coupled to the control means for causing the control means to supply a logic low to the controller to allow loading of software in the bootloader state, and the interrupter means comprises circuit means coupled to the controller for receiving a signal from the controller to switch on the transistor so that power flows throughs the fuse to blow the fuse thereby causing the control means to permanently supply the logic signal to the controller preventing loading of software in the bootloader state.
6. The device of claim 5 wherein the control means includes a NAND gate coupled to a base of the transistor so that when a low signal is provided from the controller to the circuit means a high signal is supplied to the base of the transistor to switch the transistor on to cause the fuse to blow.
7. The device of claim 1 wherein the loading means includes a second controller which provides a first signal to enable loading of software and provides a second signal to prevent the loading of software.
8. The device of claim 7 wherein the second controller is coupled to said controller for receiving a signal from said controller when loading of software is completed to cause the second controller to provide a signal to the controller to prevent loading of software in the bootloader state.
9. The device of claim 7 wherein the second controller includes a flag which is interrogated by the second controller so that in one condition of the flag the second controller provides the signal to the said controller to enable loading of software and at the completion of loading of software the said controller provides a signal to change said flag so that further interrogation of the flag by the second controller indicates that loading has been completed and the second controller provides the said signal to the controller to prevent loading of software in the bootloader state.
10. The device of claim 2 wherein the secure peripheral component is prevented from being accessed other than by the security software stored within the said memory location.
11. The device of claim 1 wherein the controller is connected to the memory by at least one memory switch control line so that when the memory switch control line is activated to address the memory storage location which stores the security software, a signal is supplied to the security peripheral component to enable operation of the security peripheral component .
12. The device of claim 2 wherein the security peripheral component includes a keypad and the keypad is coupled to the switching control line by at least one switch means so that when a signal is applied to address the security software the switch means is activated to enable operation of the keypad and when the security software is not being accessed the switch line supplies a signal to the switch to prevent access to the keypad.
13. The device of claim 12 wherein the keypad includes a plurality of scan and read lines which couple the keypad to the controller, the switch comprising a plurality of transistors connected to the scan and read lines so that dependant upon the signals applied to the switching control line, the transistors are held in a state preventing operation of the scan and read lines so that the keypad is not activated or allowing operation of the scan and read lines so that the keypad is activated and signals indicative of particular key presses of the keyboard can be read by the controller.
14. The device of claim 3 wherein the at least one switch control line is connected by second circuit means to the display for enabling the display when the security software is accessed or preventing operation of the display if the security software is not accessed.
15. The device of claim 14 wherein the second circuit means includes logic circuit means for supplying a high signal to an enable of the display when the security software is being accessed and for providing a low signal to the display if the security software is not accessed.
16. The device of claim 2 wherein the security peripheral component includes at least one memory location for storing data, the at least one memory location being disabled from access other than via the security software by supplying a reset signal to the controller to rest the controller thereby denying access to the storage location unless the security software is being accessed.
17. A memory and controller device for storing and processing security software and data including; a controller at least one memory coupled to the controller; loading means for allowing security software to be loaded into the controller for storage in a first memory location within the memory, and preventing reloading or alteration of the software in the said storage location within the memory; at least one peripheral device coupled to the controller; and wherein the controller enables loading of software and data into the at least one memory in storage locations other than the said first storage location under the control of the security software loaded into the first storage location, and the controller is for controlling operation of the peripheral device so that the peripheral device is only operable under control of the security software stored in the said first storage location.
18. The device of claim 17 wherein the secure peripheral component includes a keypad for entry of data into the device and/or a display for displaying information to a user, and/or memory locations with at least one memory.
19. The device of claim 17 wherein the loading means includes control means for supplying a logic signal to the controller to allow loading of software into the controller in a bootloader state, switch means for maintaining the control means in the said logic state and interrupter means for supplying a signal to the switch means to cause the switch means to change state to cause the control means to change state so that a logic signal is supplied to the controller to prevent loading of software in the bootloader state.
20. The device of claim 19 wherein the switch means comprises a transistor and a fuse coupled to the control means for causing the control means to supply a logic low to the controller to allow loading of software in the bootloader state, and the interrupter means comprises circuit means coupled to the controller for receiving a signal from the controller to switch on the transistor so that power flows throughs the fuse to blow the fuse thereby causing the control means to permanently supply the logic signal to the controller preventing loading of software in the bootloader state.
21. The device of claim 20 wherein the control means includes a NAND gate coupled to a base of the transistor so that when a low signal is provided from the controller to the circuit means a high signal is supplied to the base of the transistor to switch the transistor on to cause the fuse to blow.
22. The device of claim 21 wherein the secure peripheral component is prevented from being accessed other than by the security software stored within the said memory location.
23. The device of claim 17 wherein the controller is connected to the memory by at least one memory switch control line so that when the memory switch control line is activated to address the memory storage location which stores the security software, a signal is supplied to the security peripheral component to enable operation of the security peripheral component.
24. The device of claim 18 wherein the security peripheral component includes a keypad and the keypad is coupled to the switching control line by at least one switch means so that when a signal is applied to address the security software the switch means is activated to enable operation of the keypad and when the security software is not being accessed the switch line supplies a signal to the switch to prevent access to the keypad.
25. The device of claim 24 wherein the keypad includes a plurality of scan and read lines which couple the keypad to the controller, the switch comprising a plurality of transistors connected to the scan and read lines so that dependant upon the signals applied to the switching control line, the transistors are held in a state preventing operation of the scan and read lines so that the keypad is not activated or allowing operation of the scan and read lines so that the keypad is activated and signals indicative of particular key presses of the keyboard can be read by the controller.
26. The device of claim 18 wherein the at least one switch control line is connected by second circuit means to the display for enabling the display when the security software is accessed or preventing operation of the display if the security software is not accessed.
27. The device of claim 26 wherein the second circuit means includes logic circuit means for supplying a high signal to an enable of the display when the security software is being accessed and for providing a low signal to the display if the security software is not accessed.
28. The device of claim 18 wherein the security peripheral component includes at least one memory location for storing data, the at least one memory location being disabled from access other than via the security software by supplying a reset signal to the controller to rest the controller thereby denying access to the storage location unless the security software is being accessed.
29. The device of claim 28 wherein the at least one memory comprises a first memory unit for storing code, and a second separate memory unit for storing data.
30. A method of storing security software in a memory and controller device, including; loading the security software into a first storage location of a memory; preventing reloading or overwriting of the security software in the first storage location; and allowing loading of additional non-secure software into storage locations within the memory other than the first storage location under the control of the security software loaded into the first storage location.
31. The method of claim 30 wherein the loading of the non-secure software takes place subsequent to the loading of the security software.
32. The method of claim 30 wherein the loading of the security software takes place by a bootloader state of the controller and after loading of the security software, the bootloader state of the controller is disabled to prevent reloading or alteration of software in the first storage location.
33. The method of claim 30 wherein the method also includes a loading of data into further memory locations of the memory.
34. A method of handling banking encryption keys in a controller and memory device, including; loading a terminal master key at a manufacturing stage of the controller and memory; subsequently allowing loading of a terminal transport key and a terminal message authenticated code key; controlling operation of the terminal master key, the terminal transport key and the terminal message authenticated code key by security software; using the terminal transport key to encrypt the master key for loading into a key array; and using the terminal MAC key to generate message authenticated codes on any one or more of, secure prompts, fonts for display on a display, and secure software component code loads .
35. A method of storing security software and data in a controller and memory device, including; storing security software and a key in a secure environment; subsequently allowing storage of subsequent keys loaded as determined by a specific customer of the device; the subsequent keys being encrypted under the key loaded with the security software.
36. The method of claim 35 wherein the method includes tagging each key loaded into the controller and memory with an identification of the application responsible for its loading.
37. The method of claim 35 wherein the identification is a assigned to the application by the security software.
38. The method of claim 35 wherein all security code is holistic.
Dated this 21st day of March 2001
MCOM SOLUTIONS INC By their Patent Attorneys
GRIFFITH HACK
Fellows Institute of Patent and
Trade Mark Attorneys of Australia
PCT/AU2001/000317 2000-06-09 2001-03-22 Controller and memory for storing and processing security software and data WO2001095114A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001239021A AU2001239021A1 (en) 2000-06-09 2001-03-22 Controller and memory for storing and processing security software and data

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AUPQ8096 2000-06-09
AUPQ8096A AUPQ809600A0 (en) 2000-06-09 2000-06-09 Controller and memory for storing and processing security software and data

Publications (1)

Publication Number Publication Date
WO2001095114A1 true WO2001095114A1 (en) 2001-12-13

Family

ID=3822167

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2001/000317 WO2001095114A1 (en) 2000-06-09 2001-03-22 Controller and memory for storing and processing security software and data

Country Status (2)

Country Link
AU (1) AUPQ809600A0 (en)
WO (1) WO2001095114A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0331407A2 (en) * 1988-02-29 1989-09-06 Hitachi Maxell Ltd. IC card
US5007089A (en) * 1990-04-09 1991-04-09 International Business Machines Corporation Secure key management using programable control vector checking
EP0595288A1 (en) * 1992-10-27 1994-05-04 Kabushiki Kaisha Toshiba Security circuit for protecting data stored in memory
GB2320855A (en) * 1996-12-31 1998-07-01 Motorola Inc Securing electronic information in a wireless communication device
EP0609893B1 (en) * 1993-02-05 2000-04-19 Kabushiki Kaisha Toshiba Nonvolatile semiconductor memory device using a command control system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0331407A2 (en) * 1988-02-29 1989-09-06 Hitachi Maxell Ltd. IC card
US5007089A (en) * 1990-04-09 1991-04-09 International Business Machines Corporation Secure key management using programable control vector checking
EP0595288A1 (en) * 1992-10-27 1994-05-04 Kabushiki Kaisha Toshiba Security circuit for protecting data stored in memory
EP0609893B1 (en) * 1993-02-05 2000-04-19 Kabushiki Kaisha Toshiba Nonvolatile semiconductor memory device using a command control system
GB2320855A (en) * 1996-12-31 1998-07-01 Motorola Inc Securing electronic information in a wireless communication device

Also Published As

Publication number Publication date
AUPQ809600A0 (en) 2000-07-06

Similar Documents

Publication Publication Date Title
US5293424A (en) Secure memory card
US6742120B1 (en) System and method for controlling access to computer code in an IC card
KR100205740B1 (en) A secure application card for sharing application data and procedures among a plurality of microprocessors
EP0666550B1 (en) Data exchange system comprising portable data processing units
US9088418B2 (en) System and method for updating read-only memory in smart card memory modules
CA2026739C (en) Transaction system security method and apparatus
US6659354B2 (en) Secure multi-application IC card system having selective loading and deleting capability
US5841868A (en) Trusted computer system
US6996710B1 (en) Platform and method for issuing and certifying a hardware-protected attestation key
JP2003067700A (en) Memory and method for storing data structure
JP2009259274A (en) System and method for controlling access to computer code in ic card
US7353403B2 (en) Computer systems such as smart cards having memory architectures that can protect security information, and methods of using same
US6079019A (en) IC memory card
US6630926B2 (en) Apparatus and method for verifying keystrokes within a computing system
GB2227111A (en) Certification system
US7073071B1 (en) Platform and method for generating and utilizing a protected audit log
JP4207292B2 (en) Terminal device access restriction system and IC card
US6735697B1 (en) Circuit arrangement for electronic data processing
KR20080018220A (en) Mechanism to evaluate a token enabled computer system
KR100606196B1 (en) Trusted input for mobile platform transactions
WO2001095114A1 (en) Controller and memory for storing and processing security software and data
US20060259961A1 (en) Smart card with twoi/o ports linking secure and insecure environments
WO1995024698A1 (en) A secure memory card
JPH10228515A (en) Electronic cash holder

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION NOT DELIVERED NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 69(1) EPC (EPO FORM 1205A DATED 16.01.04)

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP