CA2315986A1 - Secure personalization of chip cards - Google Patents
Secure personalization of chip cards Download PDFInfo
- Publication number
- CA2315986A1 CA2315986A1 CA002315986A CA2315986A CA2315986A1 CA 2315986 A1 CA2315986 A1 CA 2315986A1 CA 002315986 A CA002315986 A CA 002315986A CA 2315986 A CA2315986 A CA 2315986A CA 2315986 A1 CA2315986 A1 CA 2315986A1
- Authority
- CA
- Canada
- Prior art keywords
- chip card
- personalization
- descriptor
- data
- personalizing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 claims abstract description 20
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims 1
- 101100243945 Fusarium vanettenii PDAT9 gene Proteins 0.000 description 7
- 208000012204 PDA1 Diseases 0.000 description 7
- 101150102492 pda1 gene Proteins 0.000 description 7
- 238000003860 storage Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 101001072191 Homo sapiens Protein disulfide-isomerase A2 Proteins 0.000 description 3
- 102100036351 Protein disulfide-isomerase A2 Human genes 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 208000030825 patent ductus arteriosus 2 Diseases 0.000 description 3
- 101000648503 Homo sapiens Tumor necrosis factor receptor superfamily member 11A Proteins 0.000 description 2
- 102100028787 Tumor necrosis factor receptor superfamily member 11A Human genes 0.000 description 2
- 101100123718 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) pda-1 gene Proteins 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 101150008465 pdb1 gene Proteins 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/355—Personalisation of cards for use
- G06Q20/3552—Downloading or loading of personalisation data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/357—Cards having a plurality of specified features
- G06Q20/3576—Multiple memory zones on card
- G06Q20/35765—Access rights to memory zones
Abstract
This invention relates to a method of initializing and personalizing a chip card and to a chip card for this purpose. In accordance with the present invention, there are created in the data memory of the chip card data structures which enable the personalizing data which is to be transmitted to the chip card at the time of personalization to be unambiguously assigned to the various chip card applications and thus to the providers of these applications. As a result, the chip card applications are securely isolated from one another at the time of personalization.
Description
SECURE PERSONALIZATION OF CHIP CARDS
Field of the Invention This invention relates to a method of initializing and personalizing a chip card and to a chip card for this purpose.
Background of the Invention When chip cards are being produced, there are two stages in the production process which have to do with loading data into the card, namely initialization and personalization.
t0 During initialization, the structures that will be needed later on, such as files and directories and the correlation between them, are created in the memory of the chip card.
Also loaded into the chip card is data, this data being the same for all the cards in a given series or run. Where initialization is concerned, speed has a significant impact on cost.
During personalization, secret and/or card-specific information is loaded into the chip card.
If, for example, the number of the card-issuing body, which is the same for all the cards, was recorded at the time of initialization, then at the time of personalization it is for example the credit card number, which is specific to the card, which is programmed into the memory of the card. An 2o important requirement in this case is that personalization should be possible only for those data fields which are intended to be personalized. It must be ensured that the data is written to the right place, i.e. only to the fields which were set aside for personalizing data at the time of initialization. The way in which this requirement is met is that so-called placeholders are loaded into the memory of the chip card during initialization. When personalizing data is then being transmitted to a field intended for such data during personalization, additional information is passed to the chip card along with the personalizing data. This additional information is then compared with the information stored in the placeholder. If the two sets of information are the same, the personalizing data is written to the memory of the chip card. However, a check of this kind is not sufficiently robust to rule out the possibility of misuse. There are known chip cards which have a plurality of chip card applications stored on them. A chip card application is a service which the chip card is able to provide, such as a payment function (chip card application A) or an electronic driver's license (chip card application B). To guarantee security when the chip card is being personalized, it is necessary for the chip card applications to be isolated from one another at the time of personalization, i.e. for it to be ensured that only the provider of chip card application A is able to personalize chip card application A or in other words is able to load data for chip card application A into the card.
The same applies to the provider of chip card application B and to any other chip card applications.
To date, secure isolation between chip card applications at the time of personalization has not been achieved in any chip card personalizing system.
to An object of the present invention is to provide a method for the improved initialization and personalization of chip cards and a chip card for this purpose.
In accordance with the invention, this object is achieved by means of the features described in the independent claims.
Summary of The Invention In accordance with the present invention, data structures are created on the chip card which allow the data which is to be transmitted to the chip card at the time of personalization to be 2o unambiguously assigned to the individual chip card applications and thus to the providers of these applications. This produces secure and reliable isolation between the chip card applications at the time of personalization. The present invention makes it impossible during personalization for personalizing data to be written to data fields not intended for this purpose by, for example, the providers of chip card applications. The present invention allows robust personalization of the fields for personalizing data which were defined as such at the time of initialization where only the locations intended for this purpose in the memory of the chip card can be personalized. No additional storage space is required in the memory of the chip card in order to put the present invention into practice. At the same time, the initialization required for personalization of this kind can be carried out without any loss of speed in comparison with conventional methods of initialization.
Brief Description of the Drawings The invention will be described in greater detail below by reference to preferred embodiments. In the drawings:
Fig. l is a diagram showing the layout of a chip card having a data memory and individual memory blocks.
Fig.2 is a diagram showing the layout of two personalization descriptors (PD's) and the logic connection between them, according to the present invention.
to Fig.3 is a diagram showing the layout of an application descriptor (AD) and two personalization descriptors (PD's) and the logic connections between them, according to the present invention.
t 5 Fig.4 shows the data memory of a chip card after initialization in accordance with the invention.
Fig.S shows the data memory of a chip card during personalization in accordance with the invention, and 2o Fig.6 is a flow chart for a personalizing operation in accordance with the present invention.
Detailed Description of the Invention Fig. l shows a chip card 100 as used in a preferred embodiment of the present invention. The chip card in question is a so-called smart card or in other words a chip card having a processor 101, 25 data memory 102 and software, such as the chip card operating system. It is preferable in this case for the data memory 102 of chip card 100 to be managed by a memory manager which is located on chip card 100 and which is, for example, part of the chip card operating system. The memory manager divides data memory 102 on chip card 100 into individual memory blocks 103. This division is preferably performed dynamically, i.e. to suit the storage space required by the individual operating system functions or chip card applications. Each memory block 103 has a physical address which is managed by the memory manager. Since these addresses depend on the version of the chip card operating system which is current, on the chip card hardware which is being used, and on other incidental conditions, what are used in the preferred embodiment are offsets.
If an area is to be initialized in memory 102 of chip card 100, to create a file for example, a free memory block 103 is assigned, and data written to it if required, by means of a chip card command such as CREATE
FILE. To allow data to be written to a particular area within block 103, what is preferably used in turn is an offset, which is, for example, referred to the start of block 103.
By using relative memory addresses it becomes possible to escape from the constraints imposed by hardware-specific, physical to memory addresses.
In what follows, a description will be given of the initialization which serves as a preparation for the personalization of chip card 100.
During the initialization, a so-called personalization descriptor (PD) is written to every location within a memory block 103 which is intended to hold a field of personalizing data. Fig.2 shows the layout of a PD 200. Each personalization descriptor contains an offset field NEXT 203.
In addition to this, each personalization descriptor may also contain a length field LEN 201 and a status field FLAGS 202. To define other personalization characteristics it is possible for other optional fields to be inserted.
If it is necessary for more than one personalizing record to be transmitted in order to personalize a chip card application, storage locations for this purpose are reserved in data memory 102 of chip card 100 by other PD's in the course of the initialization. The offset field NEXT 203 of PD 200 specifies the offset, i.e. the memory address, of a further PD 210. By means of the offset field 203, the PD's 200, 210 required are organized into PD lists so that there are a series of PD's 200, 210, etc. in a set order laid down for the personalization process. From the organizational point of view, PD's 200, 210, etc. in this case are connected together in the same order as that in which the personalizing data will be transmitted to chip card 100 during the subsequent personalization.
To indicate that the PD list does not contain any further items, or that it consists of only a single item, what can for example be done is to make the content of the offset field 203 of the last PD zero.
Fig.2 shows how two PD's, PD1 and PD2 in this case, are connected to form a PD
list. The use of relative memory addresses means, as described above, that the constraints of physical addresses can be avoided, which is particularly advantageous when retrospective changes have to be made to the chip card hardware or operating system.
To increase the robustness of the personalization, the optional length field LEN 201 can be put in. What is stated in length field LEN 201 of PD 200 is the length, in bytes for example, of the field for personalizing data which will take the place of the PD 200 to which length field 201 belongs during the subsequent personalization.
It is preferable for the length of a PD 200 which is written to data memory 102 during initialization to be smaller than that of the field of personalizing data which will be transmitted subsequently. The length of a PD may be 4 bytes for example, whereas that of a field of personalizing data may for example be 40 bytes. However, it is equally possible for a PD 200 to be the same size as its associated field of personalizing data. The introduction of length field 201 makes it possible for protection to be obtained against the destruction of the initialized memory structures.
2o To provide even greater security during personalization, the optional status field FLAGS 202 can be put in. The status field 202 of a PD 200 is used to store various status bits, known as flags, which specify what characteristics need to be exhibited by the personalizing data which will be written in place of PD 200 at the time of personalization. It can for example be specified whether the personalizing data must be encrypted/non-encrypted and/or signed/unsigned, etc.
The introduction of extended personalization descriptors of this kind makes it possible for the personalization process to be controlled in a way which can be individually defined for each personalizing record.
Also, during the initialization, at least one application descriptor (AD) is created for each chip card application in memory 102 of chip card 100. Since the chip card applications are each assigned to a provider, the ADs too are assigned to the providers of the chip card applications. The layout of an AD 300 is shown in Fig.3.
To allow it to be identified, an AD 300 includes an application designator 301 which designates the chip card application which is to be personalized using AD 300.
The application designator 301 will be referred to in what follows as an application identifier (AID). AID 301 preferably includes the name of the relevant chip card application and an unambiguous numerical 1o identification for AD 300.
AD 300 also includes the offset ACT 302 for the next PD to be processed.
Offset field 302 is so initialized in this case that before personalization begins it points to the first PD 200 in a PD
list.
AD 300 may also include other data, such as key data KEY 303 for the use of cryptographic security mechanisms, such as for the decrypting of personalizing data transmitted in encrypted form or for the checking of a signature. This allows any provider of chip card applications to individually formulate the cryptographic security procedures which are to be applied during personalization.
AD 300 may also include a mis-operation counter CNT 304 and to increase the robustness of the personalization it may include a so-called sequence counter SEQ 305, which is a counter that is incremented each time a personalizing record is successfully entered in data memory 102 of chip card 100 and which can, for example, be used during personalization to synchronize with external database applications.
Each PD 200, 210, etc. can be assigned to only one PD list, with each PD list being assigned in turn to one specific AD 300 and hence to one chip card application. If there is more than one chip card application on chip card 100, there must also be more than one PD or PD
list. In this way the chip card applications are isolated from one another. The way of initializing which has been described, where PD's 200, 210, etc. are organized into lists and the individual PD lists are each coupled to one AD 300, means that the personalization fields are unambiguously assigned to the various providers of the particular chip card applications involved. Since any one AD 300 is assigned to only one chip card application, security-related data such as the key data KEY 303 is also unambiguously assigned to a given chip card application.
What results after the initialization steps which have been described to prepare for personalization, is for example the memory map shown in Fig.4, which also shows the logic connections between the individual elements. What is shown as an example is a data memory 102 containing two chip card applications A and B to each of which is assigned an application descriptor (ADA 401 and ADB 402). Application descriptor ADA 401 in turn has personalization descriptors PDA1 403 and PDA2 404 assigned to it, and application descriptor ADB 402 has personalization descriptors PDB 1 405 and PDB2 406 assigned to it. It is an advantage that, as shown in Fig.4, both the application descriptors 401, 402 and the personalization descriptors 403, 404, 405, 406, can be stored in a random order in data memory 102 of chip card 100.
The initialization of chip card 100 having been described, a closer look will now be taken at its personalization, in which the secret and/or card- or user-specific personalizing data is loaded into chip card 100. In describing the individual steps of the personalization process reference will be made to Fig.6. In the embodiment described, fields LEN and FLAGS are included in the personalization descriptor.
The personalization is performed by working down the PD list for each AD 401, 402. What will be described here as an example is the personalization of a chip card application A. For this purpose, as shown at step 601, a personalization command of the form PERSONALIZE (AID, first personalization record), which contains the identifier AID 301 of the AD 401 assigned to the relevant chip card application and a first personalizing record, is sent to chip card 100 by, for example, an operator who is carrying out the personalization. The transmission of identifier AID 301 initiates the personalization process in chip card 100. With the help of functions provided by the chip card operating system, the AD of chip card application A, which has a corresponding identifier AID and in the present case (see Fig.4) is designated ADA 401, is selected from the AD's 401, 402 present in data memory 102 (step 602). For error-free personalization, the personalizing record which is transmitted must contain the data which is to be written to the appropriate first field for personalizing data, which is PDAl 403 in the present case.
In the event of chip card 100 being intended for use of a type where only a single application to descriptor AD is needed, the presence of identifier AID 301 in the application descriptor and in the personalization command can be dispensed with.
Then, in step 603, a check is made in chip card 100 to see whether the value in length field 201 of that PD for which a locating reference is given by offset field ACT 302 of ADA 401, meaning 15 PDA1 403 in the present case, is the same as the length of the personalizing record transmitted in the personalization command.
If it is, the personalizing record is checked in step 604 to see whether it satisfies the security requirements laid down in status field FLAGS 202 of PDA 1403. If for example it is specified in the 2o FLAGS status field that the personalizing data transmitted must be accompanied by a digital signature, then for example a check is made on the data to see whether a signature of this kind is present and whether it has not been altered. The signature may for example be checked by using key data KEY 303 from ADA 401, which may include a suitable signature key. Or if for example it is specified in the FLAGS status field that the personalizing data transmitted must be encrypted, then 25 for example a check may be made on this encryption and/or the data may be decrypted, using for example key data KEY 303 from ADA 401, which may include an appropriate cryptographic key.
To allow security attributes to be checked, the personalization command may include figures with which to compare check sums and so on. All the safety criteria defined in the FLAGS status field are preferably dealt with in step 604.
If the security check is successfully passed, then in step 605 offset field ACT 302 in ADA
401 is overwritten with the offset field NEXT 203 stored in PDA1 403. The personalizing record (encrypted where appropriate) is written in step 605 to the location in data memory 102 at which PDA1 403 is stored. Since PDA1 403 is thus overwritten, optimum use is made of the storage capacity of the data memory.
If the optional fields are not being used, the check on the length of the personalizing data and/or on the security requirements does not take place and this means a rise in the speed of personalization. With this very fast personalization, the personalizing data is simply transmitted to to chip card 100 in its set order and is written to the fields reserved for it there. When this is done, the isolation between the applications is guaranteed by the principle of addressing employed based on PD's and AD's.
For personalization in accordance with the present invention, it is not necessary to transmit to chip card 100 any information additional to the actual personalization data (and identifier AID 301 where there is more than one application descriptor present) relating to spaceholders which are present, because all the information required, and particularly the information on the memory addresses to be used during the personalization, is already present on the card. The data transmission time required for the personalization process is reduced accordingly. As a result, personalization is 2o possible at a considerably faster speed than previously, particularly when use is not made of time-consuming options such as counter SEQ 305.
The operations on chip card 100 which are needed during the initialization and personalization processes and which have been described, and particularly steps 602 to 607, and the checks and calculations which have to be made, are carried out on chip card 100 by running suitable software routines, which may for example be implemented in the chip card operating system, on processor 101.
If it was specified at the time of initialization, by for example setting an appropriate bit in status field FLAGS 202 of PDA1403, that the first personalization record must be accompanied by a certain signature, then because of the security check only a person who transmits to chip card 100 a personalization record which meets this requirement can overwrite PDA1 403.
This rules out the possibility of other PD's 404, 405, 406 being overwritten either accidentally or intentionally. Since individual security attributes were defined for each PD 403, 404, 405, 406, i.e. for each field for personalizing data, back at the time of initialization, the personalization of each individual field for personalizing data can be individually controlled. And once the security attributes have been defined, they cannot be evaded at a later date.
Alternatively, it can be specified during the initialization, for example by an appropriate control bit in status field FLAGS 202, that the personalizing record transmitted in the personalization command may be shorter than laid down, i.e. its length may be less than the value given in length field LEN 201 of the relevant PD. Since the amount of personalizing data transmitted in this case is less, the storage space in data memory 102 of chip card 100 which has already been reserved but will not be used can be filled with stuffing bytes. Hence the security check will be made in this case even when the personalizing record transmitted is shorter than was specified at the time of initialization.
The situation in data memory 102 of chip card 100 is shown in Fig.S, in which the logic 2o connections between the individual elements are once again shown as well.
The place of PDA 1 403 has been taken by the personalizing record 500 which was transmitted (in Fig.S
the original position of PDA1 403 is indicated in broken lines). The offset field ACT 302 of ADA 401 points to PDA2 404. The data structures (ADB, PDB1, PDB2) for chip card application B are unchanged.
At the next personalization command, by using a personalization command of the form PERSONALIZE (AID, second personalizing record) for example, PDA2 404 can be overwritten.
Alternatively, it would be possible to begin by overwriting PDB 1 405, and so on. What must be remembered is that the order in which the personalizing records to be transmitted are arranged must be the same as that in which PD's 403, 404, 405, 406 are connected in the given PD list. To assist in this, counter SEQ 305 for example can be used.
Once all the PD's of an AD have been overwritten, i.e. once the PD list does not contain any further items, which may be indicated by the fact that the offset field NEXT
203 of the last PD has a content of zero, then in step 607 the AD which was used of the relevant chip card application is deleted. The chip card application has been fully loaded.
In one embodiment of the invention, the identifier AID 301 is only transmitted in the personalization command in cases where a new application descriptor AD is to be selected, for to example when the first personalization command is transmitted. For as long as no subsequent personalization command contains an identifier AID 301, the assignment of the personalizing data transmitted to the appropriate application descriptor takes place automatically, for example by using appropriate functions in the chip card operating system. Only when another identifier AID 301 is transmitted will a corresponding new AD be selected.
The personalization on chip card 100 is performed using known, and for example predefined, services and routines provided by the chip card operating system which can be called up by commands such as the personalization command.
Field of the Invention This invention relates to a method of initializing and personalizing a chip card and to a chip card for this purpose.
Background of the Invention When chip cards are being produced, there are two stages in the production process which have to do with loading data into the card, namely initialization and personalization.
t0 During initialization, the structures that will be needed later on, such as files and directories and the correlation between them, are created in the memory of the chip card.
Also loaded into the chip card is data, this data being the same for all the cards in a given series or run. Where initialization is concerned, speed has a significant impact on cost.
During personalization, secret and/or card-specific information is loaded into the chip card.
If, for example, the number of the card-issuing body, which is the same for all the cards, was recorded at the time of initialization, then at the time of personalization it is for example the credit card number, which is specific to the card, which is programmed into the memory of the card. An 2o important requirement in this case is that personalization should be possible only for those data fields which are intended to be personalized. It must be ensured that the data is written to the right place, i.e. only to the fields which were set aside for personalizing data at the time of initialization. The way in which this requirement is met is that so-called placeholders are loaded into the memory of the chip card during initialization. When personalizing data is then being transmitted to a field intended for such data during personalization, additional information is passed to the chip card along with the personalizing data. This additional information is then compared with the information stored in the placeholder. If the two sets of information are the same, the personalizing data is written to the memory of the chip card. However, a check of this kind is not sufficiently robust to rule out the possibility of misuse. There are known chip cards which have a plurality of chip card applications stored on them. A chip card application is a service which the chip card is able to provide, such as a payment function (chip card application A) or an electronic driver's license (chip card application B). To guarantee security when the chip card is being personalized, it is necessary for the chip card applications to be isolated from one another at the time of personalization, i.e. for it to be ensured that only the provider of chip card application A is able to personalize chip card application A or in other words is able to load data for chip card application A into the card.
The same applies to the provider of chip card application B and to any other chip card applications.
To date, secure isolation between chip card applications at the time of personalization has not been achieved in any chip card personalizing system.
to An object of the present invention is to provide a method for the improved initialization and personalization of chip cards and a chip card for this purpose.
In accordance with the invention, this object is achieved by means of the features described in the independent claims.
Summary of The Invention In accordance with the present invention, data structures are created on the chip card which allow the data which is to be transmitted to the chip card at the time of personalization to be 2o unambiguously assigned to the individual chip card applications and thus to the providers of these applications. This produces secure and reliable isolation between the chip card applications at the time of personalization. The present invention makes it impossible during personalization for personalizing data to be written to data fields not intended for this purpose by, for example, the providers of chip card applications. The present invention allows robust personalization of the fields for personalizing data which were defined as such at the time of initialization where only the locations intended for this purpose in the memory of the chip card can be personalized. No additional storage space is required in the memory of the chip card in order to put the present invention into practice. At the same time, the initialization required for personalization of this kind can be carried out without any loss of speed in comparison with conventional methods of initialization.
Brief Description of the Drawings The invention will be described in greater detail below by reference to preferred embodiments. In the drawings:
Fig. l is a diagram showing the layout of a chip card having a data memory and individual memory blocks.
Fig.2 is a diagram showing the layout of two personalization descriptors (PD's) and the logic connection between them, according to the present invention.
to Fig.3 is a diagram showing the layout of an application descriptor (AD) and two personalization descriptors (PD's) and the logic connections between them, according to the present invention.
t 5 Fig.4 shows the data memory of a chip card after initialization in accordance with the invention.
Fig.S shows the data memory of a chip card during personalization in accordance with the invention, and 2o Fig.6 is a flow chart for a personalizing operation in accordance with the present invention.
Detailed Description of the Invention Fig. l shows a chip card 100 as used in a preferred embodiment of the present invention. The chip card in question is a so-called smart card or in other words a chip card having a processor 101, 25 data memory 102 and software, such as the chip card operating system. It is preferable in this case for the data memory 102 of chip card 100 to be managed by a memory manager which is located on chip card 100 and which is, for example, part of the chip card operating system. The memory manager divides data memory 102 on chip card 100 into individual memory blocks 103. This division is preferably performed dynamically, i.e. to suit the storage space required by the individual operating system functions or chip card applications. Each memory block 103 has a physical address which is managed by the memory manager. Since these addresses depend on the version of the chip card operating system which is current, on the chip card hardware which is being used, and on other incidental conditions, what are used in the preferred embodiment are offsets.
If an area is to be initialized in memory 102 of chip card 100, to create a file for example, a free memory block 103 is assigned, and data written to it if required, by means of a chip card command such as CREATE
FILE. To allow data to be written to a particular area within block 103, what is preferably used in turn is an offset, which is, for example, referred to the start of block 103.
By using relative memory addresses it becomes possible to escape from the constraints imposed by hardware-specific, physical to memory addresses.
In what follows, a description will be given of the initialization which serves as a preparation for the personalization of chip card 100.
During the initialization, a so-called personalization descriptor (PD) is written to every location within a memory block 103 which is intended to hold a field of personalizing data. Fig.2 shows the layout of a PD 200. Each personalization descriptor contains an offset field NEXT 203.
In addition to this, each personalization descriptor may also contain a length field LEN 201 and a status field FLAGS 202. To define other personalization characteristics it is possible for other optional fields to be inserted.
If it is necessary for more than one personalizing record to be transmitted in order to personalize a chip card application, storage locations for this purpose are reserved in data memory 102 of chip card 100 by other PD's in the course of the initialization. The offset field NEXT 203 of PD 200 specifies the offset, i.e. the memory address, of a further PD 210. By means of the offset field 203, the PD's 200, 210 required are organized into PD lists so that there are a series of PD's 200, 210, etc. in a set order laid down for the personalization process. From the organizational point of view, PD's 200, 210, etc. in this case are connected together in the same order as that in which the personalizing data will be transmitted to chip card 100 during the subsequent personalization.
To indicate that the PD list does not contain any further items, or that it consists of only a single item, what can for example be done is to make the content of the offset field 203 of the last PD zero.
Fig.2 shows how two PD's, PD1 and PD2 in this case, are connected to form a PD
list. The use of relative memory addresses means, as described above, that the constraints of physical addresses can be avoided, which is particularly advantageous when retrospective changes have to be made to the chip card hardware or operating system.
To increase the robustness of the personalization, the optional length field LEN 201 can be put in. What is stated in length field LEN 201 of PD 200 is the length, in bytes for example, of the field for personalizing data which will take the place of the PD 200 to which length field 201 belongs during the subsequent personalization.
It is preferable for the length of a PD 200 which is written to data memory 102 during initialization to be smaller than that of the field of personalizing data which will be transmitted subsequently. The length of a PD may be 4 bytes for example, whereas that of a field of personalizing data may for example be 40 bytes. However, it is equally possible for a PD 200 to be the same size as its associated field of personalizing data. The introduction of length field 201 makes it possible for protection to be obtained against the destruction of the initialized memory structures.
2o To provide even greater security during personalization, the optional status field FLAGS 202 can be put in. The status field 202 of a PD 200 is used to store various status bits, known as flags, which specify what characteristics need to be exhibited by the personalizing data which will be written in place of PD 200 at the time of personalization. It can for example be specified whether the personalizing data must be encrypted/non-encrypted and/or signed/unsigned, etc.
The introduction of extended personalization descriptors of this kind makes it possible for the personalization process to be controlled in a way which can be individually defined for each personalizing record.
Also, during the initialization, at least one application descriptor (AD) is created for each chip card application in memory 102 of chip card 100. Since the chip card applications are each assigned to a provider, the ADs too are assigned to the providers of the chip card applications. The layout of an AD 300 is shown in Fig.3.
To allow it to be identified, an AD 300 includes an application designator 301 which designates the chip card application which is to be personalized using AD 300.
The application designator 301 will be referred to in what follows as an application identifier (AID). AID 301 preferably includes the name of the relevant chip card application and an unambiguous numerical 1o identification for AD 300.
AD 300 also includes the offset ACT 302 for the next PD to be processed.
Offset field 302 is so initialized in this case that before personalization begins it points to the first PD 200 in a PD
list.
AD 300 may also include other data, such as key data KEY 303 for the use of cryptographic security mechanisms, such as for the decrypting of personalizing data transmitted in encrypted form or for the checking of a signature. This allows any provider of chip card applications to individually formulate the cryptographic security procedures which are to be applied during personalization.
AD 300 may also include a mis-operation counter CNT 304 and to increase the robustness of the personalization it may include a so-called sequence counter SEQ 305, which is a counter that is incremented each time a personalizing record is successfully entered in data memory 102 of chip card 100 and which can, for example, be used during personalization to synchronize with external database applications.
Each PD 200, 210, etc. can be assigned to only one PD list, with each PD list being assigned in turn to one specific AD 300 and hence to one chip card application. If there is more than one chip card application on chip card 100, there must also be more than one PD or PD
list. In this way the chip card applications are isolated from one another. The way of initializing which has been described, where PD's 200, 210, etc. are organized into lists and the individual PD lists are each coupled to one AD 300, means that the personalization fields are unambiguously assigned to the various providers of the particular chip card applications involved. Since any one AD 300 is assigned to only one chip card application, security-related data such as the key data KEY 303 is also unambiguously assigned to a given chip card application.
What results after the initialization steps which have been described to prepare for personalization, is for example the memory map shown in Fig.4, which also shows the logic connections between the individual elements. What is shown as an example is a data memory 102 containing two chip card applications A and B to each of which is assigned an application descriptor (ADA 401 and ADB 402). Application descriptor ADA 401 in turn has personalization descriptors PDA1 403 and PDA2 404 assigned to it, and application descriptor ADB 402 has personalization descriptors PDB 1 405 and PDB2 406 assigned to it. It is an advantage that, as shown in Fig.4, both the application descriptors 401, 402 and the personalization descriptors 403, 404, 405, 406, can be stored in a random order in data memory 102 of chip card 100.
The initialization of chip card 100 having been described, a closer look will now be taken at its personalization, in which the secret and/or card- or user-specific personalizing data is loaded into chip card 100. In describing the individual steps of the personalization process reference will be made to Fig.6. In the embodiment described, fields LEN and FLAGS are included in the personalization descriptor.
The personalization is performed by working down the PD list for each AD 401, 402. What will be described here as an example is the personalization of a chip card application A. For this purpose, as shown at step 601, a personalization command of the form PERSONALIZE (AID, first personalization record), which contains the identifier AID 301 of the AD 401 assigned to the relevant chip card application and a first personalizing record, is sent to chip card 100 by, for example, an operator who is carrying out the personalization. The transmission of identifier AID 301 initiates the personalization process in chip card 100. With the help of functions provided by the chip card operating system, the AD of chip card application A, which has a corresponding identifier AID and in the present case (see Fig.4) is designated ADA 401, is selected from the AD's 401, 402 present in data memory 102 (step 602). For error-free personalization, the personalizing record which is transmitted must contain the data which is to be written to the appropriate first field for personalizing data, which is PDAl 403 in the present case.
In the event of chip card 100 being intended for use of a type where only a single application to descriptor AD is needed, the presence of identifier AID 301 in the application descriptor and in the personalization command can be dispensed with.
Then, in step 603, a check is made in chip card 100 to see whether the value in length field 201 of that PD for which a locating reference is given by offset field ACT 302 of ADA 401, meaning 15 PDA1 403 in the present case, is the same as the length of the personalizing record transmitted in the personalization command.
If it is, the personalizing record is checked in step 604 to see whether it satisfies the security requirements laid down in status field FLAGS 202 of PDA 1403. If for example it is specified in the 2o FLAGS status field that the personalizing data transmitted must be accompanied by a digital signature, then for example a check is made on the data to see whether a signature of this kind is present and whether it has not been altered. The signature may for example be checked by using key data KEY 303 from ADA 401, which may include a suitable signature key. Or if for example it is specified in the FLAGS status field that the personalizing data transmitted must be encrypted, then 25 for example a check may be made on this encryption and/or the data may be decrypted, using for example key data KEY 303 from ADA 401, which may include an appropriate cryptographic key.
To allow security attributes to be checked, the personalization command may include figures with which to compare check sums and so on. All the safety criteria defined in the FLAGS status field are preferably dealt with in step 604.
If the security check is successfully passed, then in step 605 offset field ACT 302 in ADA
401 is overwritten with the offset field NEXT 203 stored in PDA1 403. The personalizing record (encrypted where appropriate) is written in step 605 to the location in data memory 102 at which PDA1 403 is stored. Since PDA1 403 is thus overwritten, optimum use is made of the storage capacity of the data memory.
If the optional fields are not being used, the check on the length of the personalizing data and/or on the security requirements does not take place and this means a rise in the speed of personalization. With this very fast personalization, the personalizing data is simply transmitted to to chip card 100 in its set order and is written to the fields reserved for it there. When this is done, the isolation between the applications is guaranteed by the principle of addressing employed based on PD's and AD's.
For personalization in accordance with the present invention, it is not necessary to transmit to chip card 100 any information additional to the actual personalization data (and identifier AID 301 where there is more than one application descriptor present) relating to spaceholders which are present, because all the information required, and particularly the information on the memory addresses to be used during the personalization, is already present on the card. The data transmission time required for the personalization process is reduced accordingly. As a result, personalization is 2o possible at a considerably faster speed than previously, particularly when use is not made of time-consuming options such as counter SEQ 305.
The operations on chip card 100 which are needed during the initialization and personalization processes and which have been described, and particularly steps 602 to 607, and the checks and calculations which have to be made, are carried out on chip card 100 by running suitable software routines, which may for example be implemented in the chip card operating system, on processor 101.
If it was specified at the time of initialization, by for example setting an appropriate bit in status field FLAGS 202 of PDA1403, that the first personalization record must be accompanied by a certain signature, then because of the security check only a person who transmits to chip card 100 a personalization record which meets this requirement can overwrite PDA1 403.
This rules out the possibility of other PD's 404, 405, 406 being overwritten either accidentally or intentionally. Since individual security attributes were defined for each PD 403, 404, 405, 406, i.e. for each field for personalizing data, back at the time of initialization, the personalization of each individual field for personalizing data can be individually controlled. And once the security attributes have been defined, they cannot be evaded at a later date.
Alternatively, it can be specified during the initialization, for example by an appropriate control bit in status field FLAGS 202, that the personalizing record transmitted in the personalization command may be shorter than laid down, i.e. its length may be less than the value given in length field LEN 201 of the relevant PD. Since the amount of personalizing data transmitted in this case is less, the storage space in data memory 102 of chip card 100 which has already been reserved but will not be used can be filled with stuffing bytes. Hence the security check will be made in this case even when the personalizing record transmitted is shorter than was specified at the time of initialization.
The situation in data memory 102 of chip card 100 is shown in Fig.S, in which the logic 2o connections between the individual elements are once again shown as well.
The place of PDA 1 403 has been taken by the personalizing record 500 which was transmitted (in Fig.S
the original position of PDA1 403 is indicated in broken lines). The offset field ACT 302 of ADA 401 points to PDA2 404. The data structures (ADB, PDB1, PDB2) for chip card application B are unchanged.
At the next personalization command, by using a personalization command of the form PERSONALIZE (AID, second personalizing record) for example, PDA2 404 can be overwritten.
Alternatively, it would be possible to begin by overwriting PDB 1 405, and so on. What must be remembered is that the order in which the personalizing records to be transmitted are arranged must be the same as that in which PD's 403, 404, 405, 406 are connected in the given PD list. To assist in this, counter SEQ 305 for example can be used.
Once all the PD's of an AD have been overwritten, i.e. once the PD list does not contain any further items, which may be indicated by the fact that the offset field NEXT
203 of the last PD has a content of zero, then in step 607 the AD which was used of the relevant chip card application is deleted. The chip card application has been fully loaded.
In one embodiment of the invention, the identifier AID 301 is only transmitted in the personalization command in cases where a new application descriptor AD is to be selected, for to example when the first personalization command is transmitted. For as long as no subsequent personalization command contains an identifier AID 301, the assignment of the personalizing data transmitted to the appropriate application descriptor takes place automatically, for example by using appropriate functions in the chip card operating system. Only when another identifier AID 301 is transmitted will a corresponding new AD be selected.
The personalization on chip card 100 is performed using known, and for example predefined, services and routines provided by the chip card operating system which can be called up by commands such as the personalization command.
Claims (15)
1. A method of initializing and personalizing a chip card, wherein data for at least one chip card application is transmitted to a data memory of the chip card, comprising the following steps during initialization:
- writing of at least one application descriptor for a chip card application to the data memory of the chip card, with the application descriptor including details of a memory address of precisely one personalization descriptor, - writing of at least one personalization descriptor to the data memory of the chip card, with the personalization descriptor including details of a memory address of a next personalization descriptor, and during personalization:
- transmission of personalizing data for a chip card application to the chip card, - writing of the personalizing data to the data memory of the chip card at the memory address indicated by the details in the application descriptor, - transmission of the details of the memory address of the next personalization descriptor taken from the first personalization descriptor to the application descriptor so that the next personalization descriptor is then assigned to the application descriptor, - repetition of the steps of personalization for all the personalizing data which has to be transmitted.
- writing of at least one application descriptor for a chip card application to the data memory of the chip card, with the application descriptor including details of a memory address of precisely one personalization descriptor, - writing of at least one personalization descriptor to the data memory of the chip card, with the personalization descriptor including details of a memory address of a next personalization descriptor, and during personalization:
- transmission of personalizing data for a chip card application to the chip card, - writing of the personalizing data to the data memory of the chip card at the memory address indicated by the details in the application descriptor, - transmission of the details of the memory address of the next personalization descriptor taken from the first personalization descriptor to the application descriptor so that the next personalization descriptor is then assigned to the application descriptor, - repetition of the steps of personalization for all the personalizing data which has to be transmitted.
2. The method according to claim 1, wherein the application descriptor includes details to enable it to be unambiguously assigned to a chip card application.
3. The method according to claim 1 or claim 2, wherein the personalization descriptor also includes details which define the characteristics of the personalizing data to be transmitted, and further comprises the step of checking of the personalizing data transmitted to see whether it satisfies the details, and wherein the writing of the personalizing data to the data memory of the chip card takes place only if the details are satisfied.
4. The method according to claim 3, wherein the personalizing data is checked against the details from that personalization descriptor which is currently assigned to the application descriptor.
5. The method according to claim 3 or claim 4, wherein the personalizing data is checked using information included in the application descriptor.
6. The method according to any one of claims 3 to 5, wherein the details included in the personalization descriptor include the length of the personalizing data.
7. The method according to any one of claims 3 to 6, wherein the details included in the personalization descriptor include security requirements which the personalizing data is required to meet.
8. The method according to any one of claims 1 to 7, wherein the application descriptor includes a counter, and further comprises the step of incrementing the counter each time a personalizing record is successfully entered in the data memory of the chip card.
9. A chip card having a processor for running software routines, a data memory and software routines for performing the method according to any one of claims 1 to 8.
10. The chip card according to claim 9, wherein the data memory contains, before the personalization of the chip card begins,:
at least one application descriptor for a chip card application which descriptor includes details of a memory address of a personalization descriptor, and at least one personalization descriptor which includes details of a memory address of the next personalization descriptor.
at least one application descriptor for a chip card application which descriptor includes details of a memory address of a personalization descriptor, and at least one personalization descriptor which includes details of a memory address of the next personalization descriptor.
11. The chip card according to claim 10, wherein the application descriptor includes details of the chip card application assigned to it.
12. The chip card according to claim 10 or claim 11, wherein the application descriptor includes information which can be used for a check on the personalizing data.
13. The chip card according to any one of claims 10 to 12, wherein the personalization descriptor also includes details which define the characteristics of the personalizing data to be transmitted.
14. The chip card according to any one of claims 10 to 13, wherein the application descriptor includes a counter which is incremented each time a personalizing record is successfully entered in the data memory of the chip card.
15. A computer program product for causing a computer to perform the method steps of any one of claims 1 to 8.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE19939280A DE19939280A1 (en) | 1999-08-19 | 1999-08-19 | Secure personalization of chip cards |
| DE19939280.3 | 1999-08-19 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2315986A1 true CA2315986A1 (en) | 2001-02-19 |
Family
ID=7918874
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002315986A Abandoned CA2315986A1 (en) | 1999-08-19 | 2000-08-14 | Secure personalization of chip cards |
Country Status (6)
| Country | Link |
|---|---|
| US (1) | US6971025B1 (en) |
| EP (1) | EP1079339B1 (en) |
| AT (1) | ATE275746T1 (en) |
| CA (1) | CA2315986A1 (en) |
| DE (2) | DE19939280A1 (en) |
| ES (1) | ES2224976T3 (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040122774A1 (en) * | 2002-08-02 | 2004-06-24 | Martin Studd | Method and system for executing applications on a mobile device |
| DE10252512A1 (en) * | 2002-11-08 | 2004-05-27 | Robert Bosch Gmbh | Data carrier element for communicating data to object assigned to data carrier e.g. for freight and container vehicles, has specified electronic storage structure for receiving data |
| EP1622098A1 (en) * | 2004-07-30 | 2006-02-01 | ST Incard S.r.l. | IC card secure personalization method |
| TWI418198B (en) * | 2006-01-24 | 2013-12-01 | Stepnexus Holdings | Method and system for personalizing smart cards using asymmetric key cryptography |
| EP1873728B1 (en) | 2006-06-29 | 2013-11-27 | Incard SA | Method for configuring an IC Card in order to receive personalization commands |
| DE102006034375A1 (en) * | 2006-07-25 | 2008-01-31 | Giesecke & Devrient Gmbh | Personalization of portable data carriers |
| DE102008050578A1 (en) * | 2008-10-06 | 2010-04-08 | Giesecke & Devrient Gmbh | Personalize portable media |
| EP2200253A1 (en) * | 2008-12-19 | 2010-06-23 | Gemalto SA | Method of managing sensitive data in an electronic token |
| DE102010044687A1 (en) * | 2010-09-08 | 2012-03-08 | Giesecke & Devrient Gmbh | Portable data carrier with misoperation counter |
| CN107463407B (en) * | 2017-08-10 | 2020-11-06 | 青岛海信移动通信技术股份有限公司 | Fingerprint chip initialization method and device |
| DE102023110087A1 (en) | 2022-04-22 | 2023-10-26 | Giesecke+Devrient ePayments GmbH | Method and system for personalizing a secure element |
| WO2023202801A1 (en) | 2022-04-22 | 2023-10-26 | Giesecke+Devrient ePayments GmbH | Method and system for personalizing a secure element |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4874935A (en) * | 1986-03-10 | 1989-10-17 | Data Card Coprporation | Smart card apparatus and method of programming same |
| JPH02214994A (en) * | 1989-02-15 | 1990-08-27 | Hitachi Maxell Ltd | Ic card |
| US5438679A (en) * | 1990-11-30 | 1995-08-01 | Casio Computer Co., Ltd. | Data storage apparatus having volatile memory and nonvolatile memory and data indication means for indicating memory storing data |
| DE19536548A1 (en) * | 1995-09-29 | 1997-04-03 | Ibm | Generation of software tools for initialisation and personalising of memory card, smart card |
| US5889941A (en) * | 1996-04-15 | 1999-03-30 | Ubiq Inc. | System and apparatus for smart card personalization |
| ATE281680T1 (en) * | 1997-03-24 | 2004-11-15 | Visa Int Service Ass | SYSTEM AND METHOD FOR A MULTIPURPOSE CHIP CARD WHICH ALLOWS SUBSEQUENT STORAGE OF AN APPLICATION ON THIS CARD |
| AU2289999A (en) * | 1998-02-06 | 1999-08-23 | Mondex International Limited | Configuration of ic card |
| US6390374B1 (en) * | 1999-01-15 | 2002-05-21 | Todd Carper | System and method for installing/de-installing an application on a smart card |
-
1999
- 1999-08-19 DE DE19939280A patent/DE19939280A1/en not_active Withdrawn
-
2000
- 2000-07-20 US US09/620,185 patent/US6971025B1/en not_active Expired - Lifetime
- 2000-07-22 AT AT00115817T patent/ATE275746T1/en not_active IP Right Cessation
- 2000-07-22 EP EP00115817A patent/EP1079339B1/en not_active Expired - Lifetime
- 2000-07-22 DE DE60013518T patent/DE60013518T2/en not_active Expired - Lifetime
- 2000-07-22 ES ES00115817T patent/ES2224976T3/en not_active Expired - Lifetime
- 2000-08-14 CA CA002315986A patent/CA2315986A1/en not_active Abandoned
Also Published As
| Publication number | Publication date |
|---|---|
| DE19939280A1 (en) | 2001-02-22 |
| EP1079339B1 (en) | 2004-09-08 |
| EP1079339A2 (en) | 2001-02-28 |
| EP1079339A3 (en) | 2001-08-22 |
| DE60013518T2 (en) | 2005-10-13 |
| ATE275746T1 (en) | 2004-09-15 |
| ES2224976T3 (en) | 2005-03-16 |
| DE60013518D1 (en) | 2004-10-14 |
| US6971025B1 (en) | 2005-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7584358B2 (en) | Tamper resistant module certification authority | |
| EP0981807B1 (en) | Integrated circuit card with application history list | |
| US6575372B1 (en) | Secure multi-application IC card system having selective loading and deleting capability | |
| US7850066B2 (en) | Smartcard system | |
| EP1023703B1 (en) | Personalization of smart cards | |
| US6742715B2 (en) | System and method for flexibly loading an IC card | |
| EP1223565A1 (en) | Transaction system, portable device, terminal and methods of transaction | |
| JP2004272400A (en) | Memory card | |
| US6971025B1 (en) | Secure personalization of chip cards | |
| KR20050099495A (en) | Semiconductor memory card, and program for controlling the same | |
| EP2016535A2 (en) | Methods and systems for ic card application loading | |
| EP1053535B1 (en) | Configuration of ic card | |
| EP1053536B1 (en) | System and method for controlling access to computer code in an ic card | |
| US6662283B1 (en) | Secure memory management method | |
| Marlet et al. | Demoney: A demonstrative electronic purse–Card specification | |
| GB2350703A (en) | Smart devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| FZDE | Discontinued |