Smart-card comprising a virtual local network
Field of the invention
The invention relates to portable object comprising a USB (Universal Serial Bus) interface. A portable object can be for example a smart-card that includes a microprocessor and memory means.
Background of the invention
Smart-cards that comprise a USB interface are known, for example "e-Gate" product commercialized by the Applicant.
In the foregoing description, "computer" will have a large meaning, e.g. personal computer, portable device like personal digital assistant, notebook laptop computer, smart-phone...
The word "internet" means "interconnected networks".
The USB specifications (in particular the Universal Serial Bus Specification Revision 2.0 published April 27, 2000) can be found on www.usb.org. Figure 1 illustrates the USB topology. The USB connection can be seen as a tiered structure made of three types of devices: 1. The USB root that is hold by a computer via a Host, or any other USB compatible device. 2. The USB hub (interconnecting function). There is at least one hub in a USB that is the root hub Hub 1. There may be up to five level of hub on the same bus Hub 2, 3, 4, 5 and 6. A hub is understood as being a device connected to several other devices (e.g. computers, printers...) responsible for exchanging messages between said devices. 3. The USB functions Func that are always connected to a hub. It may be a scanner, a printer, a joystick...
In the USB standard, a real device (i.e. the e-Gate smart-card, a printer...) is always coupled with a virtual device. The virtual device is the device driver allowing the computer application to access to the real device functions.
When installing a USB device on a computer, it is necessary to install a device driver for enabling a correct interaction with the operating system of the computer to which the device is connected. The product user has to follows the instructions, waiting for the product to be detected by the host. Then, a CD-Rom is introduced in the reader, read and the driver is installed. Operating systems (e.g. Microsoft Windows) generally comprise several standard device drivers (virtual devices). In this case, once connected, the additional USB device will be operational without requiring an additional driver installation. It is for example the case for the removable mass storage disks (non-volatile memory such as flash RAM), for USB hub and for network adapter providing an access to an Ethernet local network (LAN).
Applicant's patent applications PCT/IB03/03025 and PCT/IB03/02801 propose solutions enabling to populate a USB smart-card with its device driver included in it. With such a solution, it is not anymore required to download and / or install it from an internet website or with a dedicated CD-Rom.
Figure 2 represents schematically a compound device, e.g. a USB type smart card. When introducing the card in a Personal Computer USB host (through the ISO connectors IC introduced in an appropriate reader (not represented), a USB hub and a USB removable drive (a mass storage device) are automatically recognized. The device drivers for the functions USB FUNC 2 and USB FUNC 3 that are stored in the storage device are immediately available for the computer. The USB compound device is autonomously installable. The arrows on the Figure represent the exchange of data.
One could install two network adapters on a single computer. In such a case, there are two separated networks connected on a single machine. The interconnection
between the two networks does not exist by default. It is required to choose at least one of the following solutions to transfer data to/from and adapter to another: - install software that enables this function; - parameterize the computer operating system routing table for enabling the sharing of its primary network connection, thus making it accessible to a device installed on another network connection (interface) without having to install an additional software on the computer. The computer OS manages a network address translation (NAT) allowing a device to access the internet while not having an IP valid address to gain the access by its own. Such solutions are well known and used to share services (e.g. internet access) among the members of a computer network.
The USB smart-card of the prior art are characterized by the facts that: - the device driver shall be written and maintained with operating systems evolutions. The writing and fine-tuning of a device driver is difficult, and source of a lot of issues for both installation and use. - the ISO protocol (ISO-7816 standard defines the communication behavior between a card and a card-accepting device), which is still embedded in the USB protocol, limits the smart card universality. In particular, a device or a software addressing the smart-card needs to be compliant with its communication characteristics.
Object and summary of the invention
Therefore, it is an object of the present invention to provide a portable object, for example a smart-card, that overcomes the at least one shortcoming of the prior art cards.
According to the invention, a portable object, in particular under the form of a smart-card, comprises an interface of the USB type and a virtual local network. The portable object further comprises a network adapter to access the virtual local network and to allow its dynamic configuration by its standard detection, the virtual local network supporting the internet Protocol (IP).
Advantageously, the USB type interface complies with the Communication Device Class Ethernet adapter USB standard.
The virtual local network may comprise a Hypertext Transfer Protocol HTTP server, or a Domain Name System DNS server, or a Dynamic Host Configuration Protocol
DHCP server, or an internet Protocol gateway, or an email server.
The HTTP, DNS, DHCP and email server may have a different IP address.
Alternatively, the virtual local network can be a combination of these servers. The virtual local network may comprise a unique or several server(s) combining the functions of a HTTP and/or DNS and/or DHCP and/or gateway and/or e-mail and/or the function of any server or service according to the W3C, said server(s) having a unique IP address.
As it is already performed between computers connected to the internet, such servers may establish a communication with another distant server over the internet to perform miscellaneous operation such as mutual authentication, secure channel establishment, data downloading and uploading, etc.
More generally, the virtual local network may comprise any server or service according to the World Wide Web consortium rules (W3C). Further, the portable object may comprise any network related function that can work based on protocols stack such as internet Protocol IP, and network adapter such as Ethernet network adapter.
According to the invention, it is now possible to have a standard driven internet ready autonomously installable USB smart-card.
Brief description of the drawings
The following detailed description, given by way of example, will be best understood with the accompanying drawings in which: - Figure 1 represents schematically the known USB bus topology, - Figure 2 illustrates a known smart-card comprising a USB interface,
- Figure 3 and Figure 4 illustrate a smart-card comprising a USB interface according to the invention, - Figure 5 illustrates the process of assigning an IP (internet Protocol) address to the smart-card according to the invention, - Figure 5bis illustrates the different layers supported by the smart card according to one form of realization of the present invention, - Figure 6 illustrates the process for providing the IP address of the WEB server of the smart-card according to the invention, - Figure 7 illustrates the process of establishing a bridge between the virtual local network in the smart-card and the true network adapter in the computer according to the invention, - Figure 8 to 11 illustrate a particular example of implementation of the invention comprising the different steps of assigning IP addresses to a smart-card (Figure 8), assigning additional IP addresses to the smart-card for the DHCP server implementation (Figure 9), implementing a web server in the smart-card (Figure 10) and interconnecting the virtual network of the smart-card to the internet for a computer user (Figure 11 );
Detailed description of the invention Figure 3 and 4 represent schematically a smart-card comprising a USB interface according to the invention. In Figures 3 and 4, the smart-card comprises the following functions: - a USB standard network adapter device, - a virtual local (private) network. In Figure 3, the smart-card also comprises the following additional functions: - a USB standard storage device (e.g. a removable drive), - a USB standard USB hub device.
The virtual local network can include a network connected "computer" having its own IP address, and embedding a HTTP server. Hypertext Transfer Protocol HTTP is known as the protocol for transferring hypertext requests and information between servers and browsers using internet transmission control protocol TCP.
The virtual local network can further include a DNS (Domain Name System) server having its own IP address.
The virtual local network can further include a DHCP (Dynamic Host Configuration Protocol) server/controller having its own IP address. The virtual local network can further include an email server. The electronic mail server may be a Post Office Protocol POP server and a Simple Mail Transfer Protocol SMTP server... etc.
As shown in figure 5bis, according to one form of realization of the present invention, the different layers of the protocol supported by the smart card are : - a USB device controller (i.e. a physical USB layer) ; - a USB interface firmware; - a USB device firmware; - an IEEE 802.3(and/or IEEE 802.2 and/or MAC) (Ethernet) LLC (logical link control).
With those components, the smart cards is able to support a virtual local area network (LAN) : the smart card is seen by the computer PC as a LAN.
On figure 5bis, the virtual local network relies on - an IP layer; - a TCP layer; and includes an application layer holding a DHCP server, a HTTP server, a DNS server, a gateway...
The smart-card includes software, in particular software to make the smart-card behaves like a virtual network server. The software may also have various functions depending on the operating system to which the card can be connected. Several software adapted to several operating systems may be present in the smart-card. This software may enable to: - parameterize the USB standard network adapter device. This can be done either by activating the internet connection sharing under Microsoft Windows
XP for example, or by assigning a default IP address compatible with the current computer parameters. - perform routing of the IP addresses between the virtual local network of the smart-card and through the "real network" to which the computer is connected through a physically existing network adapter card (the true network adapter TNA on Figures 5 to 7). Therefore, the internet WWW can address the IP devices present on the virtual local network, and inversely, any of the devices having an IP address and present on the virtual local network can access the internet.
In the example shown in Figure 3, the smart-card embeds a USB standard storage device that is addressable by the computer before the smart-card network adapter is fully operational (i.e., installed with all parameters). All software may be stored in the storage device. Alternatively in the example shown in Figure 4, there is not any storage device. The network adapter of the smart-card presents is addressed using the default parameters of the computer operating system. The software supporting the routing of the IP addresses between the card and the true network adapter is stored in a HTTP server that is in the smart-card virtual network. This software is accessible using a process that is analogous to software downloading from an internet. Alternatively to the HTTP server, a File Transfer Protocol FTP server or any other server on the internet enabling file transfer would also works, as the card presents itself to the computer as a network.
Figure 5 illustrates the process of assigning an IP (internet Protocol) address to the smart-card according to the invention. This proceeding typically takes place the first time a smart-card SC according to the invention is inserted in the USB reader of a computer PC. The computer PC sends a DCHP request DCHP_R to the smart-card through the USB host H (the host comprises the network adapter NA under the form of a software layer) of the computer PC and the USB interface of the card SC (the card comprises the network adapter SC_NA under the form of a software layer). The
DCHP server receives the request and assigns an address @IPO to himself, an address @IP1 to the network adapter of the card SC_NA, and an address @IP2 to the DNS server respectively. Then the DCHP server communicates all these IP addresses to the computer via the USB connection.
Figure 6 illustrates the process of assigning an IP address to the server name of the smart-card according to the invention.
The computer PC user launches an Internet browser IB and requests an access to a predetermined server name, e.g. "MyOwnSmartCard" MOSC. The first time such an access is requested, it is necessary to assign an IP address to the requested server name so that an Internet browser IB can receive data directly from the web server WS within the card. This server name is recognized by the DNS server in the smart- card. The DNS server assigns an IP address @IP3 to the name MyOwnSmartCard MOSC in the web server WS. The smart-card replies to the Internet browser IB request by sending the IP address @IP3 of the smart-card web server. Now, the Internet browser IB is able to link the server name with an IP address. A web page WP stored in the smart-card SC can be returned to the browser that addressed the HTTP server using @IP3. The computer PC user is able to browse within the web pages stored in the smart-card.
Figure 7 illustrates the process of establishing a bridge between the virtual local network in the smart-card and the true network adapter TNA in the computer PC by using the smart-card according to the invention. From the Internet browser, the user can navigate into its smart-card. He can also make the PC executing a software SI stored in the smart-card, and available through an HTTP request. This software SI might be securely signed in order to be recognized on the PC as issued by a genuine confident source. The software SI or a specific driver will manage (schematically represented by the dot line) the interface IVT between the virtual network adapter NA of the USB host H and the true network adapter TNA of the computer PC enabling a connection to an internet service server ISS via the Internet WWW.
In the two cases, the software SI performs the functions requires for routing the IP frames between the network adapter in the smart-card SC_NA and the network adapter TNA of the PC connected to the internet WWW. From now, the servers ISS accessible on the internet, and the one in the smart-card can exchange data.
Now, a particular example of implementation of the invention will be described in relation with the Figures 8 to 11.
Figure 8 illustrates the process of assigning IP (internet Protocol) addresses to the smart-card according to the invention. This proceeding may take place each time a smart-card according to the invention is inserted in the USB reader of a computer
PC.
After the electrical detection of this new USB device by the computer PC, several exchanges append between the card and its host, according to the USB standard. The card answers according to the "Class Definitions for Communication Devices" document, presenting itself as an Ethernet network adapter.
Having finished the USB hot plugging procedure, the computer PC detects a new
Ethernet networks adapter requiring a dynamic configuration. It now starts the DHCP client software embedded in the computer operating system.
Figure 9 illustrates the commands and answers exchanged between the DHCP client in the host and the DHCP server in the smart-card according to the invention for completing the smart-card addresses assignment process.
In a first step, the host detects a new network adapter. The host sends a DHCPDISCOVER message to the smart-card.
In a second step, the DHCP server connected to the virtual network in the smart-card replies by sending a DHCPOFFER message to the client.
In a third step, the host sends a DHCPREQUEST message to the smart-card. The host requests thereafter its working parameters for accessing the virtual local network in the smart-card.
In a fourth step, the DHCP server connected to the virtual network in the smart-card replies by sending a DHCPPACK message to the client. This message contains the IP addresses of: - The network adapter embedded in the smart-card (@IP 1 ). - The DNS server embedded in the smart-card (@IP 2). - The gateway embedded in the smart-card (@IP 3). - The DNS server embedded in the smart-card itself (@IP 0).
All these messages are transmitted to the computer via the USB connection. However, from the computer network software layers standpoint, there is neither USB nor smart-card connection, but an Ethernet network adapter.
After the above-mentioned steps, the computer PC and the smart-card are able to exchange data. The user can now access its smart-card using standard network, internet and internet tools such as a browser (e.g. internet Explorer or Netscape).
Figure 10 illustrates the process for accessing the web server (HTTP server) in the smart card using a standard internet browser.
The computer PC user launches an internet browser and requests an access to a predetermined server name (URL) (e.g. "MyOwnSmartCard") for the first time. It is necessary to associate an IP address to a requested server name so that an internet browser can address directly the web server within the card. The internet browser can interrogate the DNS server at the IP address @IP2. The DNS server in the smart-card recognizes the name "MyOwnSmartCard" and returns the HTTP server IP address @IP4. Defining an IP address @IP4 is not mandatory. Alternatively, the HTTP server may have the same address as the DNS server, but the HTTP service shall be addressed using a dedicated port, e.g., port 80 (there are 65535 ports per IP address allowing to address different services to the same IP address). Knowing the IP address of the HTTP server "MyOwnSmartCard", the browser sends a request in order to access the HTTP server content. A default web page stored in the smart-card web server is returned to the browser. The computer PC user is able to browse within the web pages stored in the smart-card.
Figure 11 shows how a computer user can perform the interconnection of the virtual network of the smart-card to the internet. As described herein before, from the internet browser, the user can navigate into its smart-card. He can also execute a software SI stored in the smart-card, and available through an HTTP request (exactly as it is possible over the internet). The software SI will manage (schematically represented by the double arrow) the interface IVT between the virtual network adapter VNA of the USB host and the true network adapter TNA of the computer PC enabling a connection to a service provider server ISS via the internet WWW. In the two cases, the software SI performs the functions requires for routing the IP frames between the network adapter in the smart-card VNA and the network adapter TNA of the PC connected to the internet WWW. From now, any ISS server on the internet, and the one in the smart-card can exchange data.
A further example will be described with a personal computer PC having a e.g. Microsoft Windows 2000 or an XP environment. Other environments are of course possible.
A standard computer includes a network adapter that allows it to receive / send emails, browse over the internet, etc. It has its own IP address (e.g. 80.228.12.179) associated with its network adapter card (e.g. a network adapter commercialized by 3COM...).
A smart-card according to the invention is inserted in one of the PC free USB plug.
The PC automatically detects a new network adapter and configures it dynamically using the Dynamic Host Control Protocol.
The PC gets the IP address of the newly detected network adapter from a DHCP controller/server on the new network that is presented by the card (i.e. the smart-card connected to the USB).
The card replies by assigning automatically an IP address to the virtual network adapter (e.g. 10.10.1.1 ). It also comes with the IP address of a DNS server, with the
IP address of the gateway and with the IP address of the DHCP server. The PC now embeds two network adapters that have no relation with each other (i.e. no communication are possible between the two adapters at this moment).
If the PC user launches an internet browser (e.g. Microsoft IE or Netscape Navigator...) and tries to reach a server (e.g. "http://www.google.com") the IP frames go to, and come from, the two network adapter cards (the real and the virtual one). If the user request accessing a predetermined server name (e.g. "MyOwnSmartCard"), the name is recognized by the DNS server in the smart-card. The smart-card DNS returns the IP address of the smart-card HTTP server. Thus a default WEB page stored in the smart-card is returned to the browser in response of the HTTP request. From this browser, the user can navigate into its smart-card. He may launch or download software stored in the smart-card, and available through an HTTP request (exactly as it is possible over the internet). This software might be securely signed by the OS issuer in order to be recognized on the PC as issued by a genuine confident source. Using the same principle, this software may be installed on the PC through a dedicated procedure (such as the one used by Microsoft to upgrade their operating system). Whatever the method is, the software performs the functions requires for routing the IP frames between the network adapter in the smart-card and the network adapter of the PC connected to the internet. Under Microsoft Windows XP, it might be the use of the network connection sharing function that simply consists on a network parameters changing. From now, the servers on the internet, and the one in the smart-card can exchange data.
With a smart-card according to the invention, it is not necessary for the user to install the device drivers to address the smart-card, as it is viewed as a local network already supported by major operating systems. It is also possible for the smart-card to receive and send standard internet request.
Further, internet access security is improved by uniquely identifying the user of the computer using cryptographic means of the smart-card, thus avoiding fraudulent access by third parties.
With the present invention, the smart-card becomes accessible to currently existing object connected to the internet, without requiring them to understand what a smart-card is. Nevertheless, the security level of a smart card is still provided.