WO1995022126A1 - Data exchange system comprising portable data processing units - Google Patents
Data exchange system comprising portable data processing units Download PDFInfo
- Publication number
- WO1995022126A1 WO1995022126A1 PCT/NL1995/000055 NL9500055W WO9522126A1 WO 1995022126 A1 WO1995022126 A1 WO 1995022126A1 NL 9500055 W NL9500055 W NL 9500055W WO 9522126 A1 WO9522126 A1 WO 9522126A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- application
- exchange system
- procedural
- interaction
- Prior art date
Links
- 238000012545 processing Methods 0.000 title claims abstract description 80
- 230000003993 interaction Effects 0.000 claims abstract description 105
- 238000004891 communication Methods 0.000 claims abstract description 78
- 230000006854 communication Effects 0.000 claims abstract description 78
- 238000000034 method Methods 0.000 claims abstract description 56
- 230000009471 action Effects 0.000 claims description 51
- 230000008569 process Effects 0.000 claims description 9
- 230000004044 response Effects 0.000 claims description 8
- 206010013710 Drug interaction Diseases 0.000 claims description 3
- 230000003213 activating effect Effects 0.000 claims description 3
- 230000001427 coherent effect Effects 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 3
- 238000011084 recovery Methods 0.000 claims description 3
- 238000000547 structure data Methods 0.000 claims description 3
- 238000013475 authorization Methods 0.000 claims description 2
- 238000004590 computer program Methods 0.000 claims description 2
- 238000012546 transfer Methods 0.000 claims 1
- 230000004913 activation Effects 0.000 description 13
- 230000006870 function Effects 0.000 description 11
- 238000012795 verification Methods 0.000 description 9
- 150000001768 cations Chemical class 0.000 description 6
- 238000011161 development Methods 0.000 description 6
- 230000018109 developmental process Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 238000000926 separation method Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 239000003607 modifier Substances 0.000 description 3
- 101150038444 Ment gene Proteins 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 101100222017 Candida albicans (strain SC5314 / ATCC MYA-2876) CSA2 gene Proteins 0.000 description 1
- 241000905957 Channa melasoma Species 0.000 description 1
- 241000282326 Felis catus Species 0.000 description 1
- 241000408529 Libra Species 0.000 description 1
- JEYCTXHKTXCGPB-UHFFFAOYSA-N Methaqualone Chemical compound CC1=CC=CC=C1N1C(=O)C2=CC=CC=C2N=C1C JEYCTXHKTXCGPB-UHFFFAOYSA-N 0.000 description 1
- 101100504379 Mus musculus Gfral gene Proteins 0.000 description 1
- 235000017276 Salvia Nutrition 0.000 description 1
- 241001072909 Salvia Species 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 101150042828 csa1 gene Proteins 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000009849 deactivation Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 229940036310 program Drugs 0.000 description 1
- 229910052710 silicon Inorganic materials 0.000 description 1
- 239000010703 silicon Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
- G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
- G06K19/067—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
- G06K19/07—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/123—Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/356—Aspects of software for card payments
- G06Q20/3563—Software being resident on card
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/357—Cards having a plurality of specified features
- G06Q20/3574—Multiple applications on card
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/357—Cards having a plurality of specified features
- G06Q20/3576—Multiple memory zones on card
- G06Q20/35765—Access rights to memory zones
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2211/00—Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
- G06F2211/007—Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/99931—Database or file accessing
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/99931—Database or file accessing
- Y10S707/99939—Privileged access
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/99941—Database schema or data structure
- Y10S707/99942—Manipulating data structure, e.g. compression, compaction, compilation
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/99941—Database schema or data structure
- Y10S707/99943—Generating database or data structure, e.g. via user interface
Definitions
- Data exchange system comprising portable data processing units
- the invention relates to a data exchange system comprising at least one portable data processing unit comprising data communica- tion means, processing means and memory means, the later comprising an executive program.
- Such a system is known from the international patent applica ⁇ tion WO-A-87/07063 in which a system for a portable data carrier having multiple application files is described.
- One of the most im- portant applications of such a portable data carrier is a smart card suitable for multiple applications.
- the known data carrier is described as a carrier of hierarchically structured data with security features to support multiple applications on the same data carrier. Applications are seen as sets of data.
- the patent applica- tion describes an implementation of an hierarchical file system on a data carrier to store alterable data in combination with an hier ⁇ archic set of access permissions.
- the data carrier responds to a set of common commands. File access permissions are distinct for different operations and granted in dependence on password verifi- cation.
- a password verification attempt counter is introduced as well as the provision of destruction of stored data as sanction against too many attempts of access.
- the known data carrier is presented primarily as a storage device and not as a processor. Only very simple functions may be performed by the executive pro- gram such as binary logic operation. It is not possible to allow the performance of an unspecified set of operations on request of a terminal communicating with the data carrier.
- the only security option is the introduction of password verification. No other access condition verifications are possible within the known sys- tern.
- each application of the data carrier has its own file within the memory means of the data carrier. No special measures are taken to enhance the efficiency of the available memory space which, especially on smart cards, is very restrictive and therefore sets limits to the number of possible applications.
- EP-A-0,479,655 relates to the implementation of access condi ⁇ tion checks in smart cards.
- One specification technique for that is disclosed, however, it is desirable to provide for measures to in ⁇ clude the possibility of other access condition verifications.
- EP-A-0,361 ,491 relates to a chip card programming system to allow protected (re)programming of cards. It describes the use of write-once-access conditions to control access of parts of the pro ⁇ grammable memory to be programmed. In this way the number of appli- cations on a single card can be extended. Verification of the access conditions with a variety of techniques including crypto ⁇ graphic protocols is described.
- EP-A-0,292,24B relates to loading of applications on a smart card using an unalterable operating system program. It includes the implementation of a data access condition enforcement method using memory zones with assigned access attributes. Specific access con ⁇ ditions are "write-once" (which is only described implicitly) and "execute-only”.
- US-A-4,874,935 relates to card programming using a data dic- tionary where the data dictionary describes the layout of data ele ⁇ ments stored in the card's memory.
- Data dictionaries are commonly understood to differ from directories in that they not only des ⁇ cribe data actually stored, but also data which will be stored later.
- data dictionaries usually include a description of the data format.
- compiled format data dictionaries are used in database management systems where they are stored on the hard disc as part of the database. They are also found in the object load files resulting from program compilation in software develop ⁇ ment environments.
- the patent does not claim a representa- tion of data dictionaries particularly suited for smart cards.
- the main object of the present invention is to present means to cope optimally with the restrictions imposed by limited physical dimensions of available memory space on portable data processing units, especially smart cards.
- a further object of the present invention is to offer a more general mechanism of protected loading of program codes and to allow such a loading for multiple programs each for one application of each portable data processing unit.
- the present invention is directed to the provision of the use of access condition verifications not prescribed by the manufacturer of the portable processing unit but chosen by the application designer to suit his particular needs.
- the system according to the invention is character- ized in that the memory means further comprises at least one inter ⁇ action context containing the following coherent data structure: a. a set of basic communication primitives which are accepted whenever the data processing unit communicates with a similar unit, said primitives at least including a primitive used to selectively enter one of the said interaction contexts; b. a set of procedural descriptions defining the actions to be performed in response to each of the accepted communication primitives, at least comprising a first procedural descrip- tion to be performed upon activating the interaction context, and a last procedural description to be performed immediately before deactivating the context; c.
- the processing unit is really organized as a processor, i.e. it not only allows logical operations but it performs processes which may be loaded in the processing unit by persons authorized to do so, e.g. a staff member of a bank.
- a staff member of a bank By providing procedures which may provide arbitrary complex operations in response to received commands and providing an explicit list of stored data elements which are addressable as part of such commands the communication bandwidth can be optimally used; resulting in a reduced number of commands exchanged. With a system according to the invention many actual uses of the system will but require the exchange of two commands.
- the structure within the memory means which is defined in such a way that several applications of the unit may be added in a very effi ⁇ cient way, i.e. by using as little additional memory space as poss- ible. This is especially of prime importance if the unit is a smart card which is severely limited as regards available memory space.
- the structure according to the invention offers all possi ⁇ bilities to include security measures in order to inhibit unauthor ⁇ ized people from access to processes or data that they are not en- titled to use.
- the data exchange system defined above is characterized in that the memory means further comprises at least two interaction contexts, at least one applica ⁇ tion description and a memory element storing a reference to the interaction context currently being in force, each application description comprising: a. a data list comprising references to data elements, which references may be accessible to two or more interaction contexts and may be extended by additional data elements; b. a further set of access conditions associated to said references or to said additional data elements and defining res ⁇ trictions of use.
- Each application description may also comprise a procedure library comprising units of executable code which can be used by procedural descriptions of each interaction context associated to each of said application descriptions.
- the processing unit is suitable for at least two applications with use of little additional memory space.
- the data exchange system is characterized in that the memory means comprises at least two application descriptions and units of executable code which can be used by procedural descriptions of each interaction context within each application description or by each unit of executable code of each procedure library within each application description.
- the units of executable code in the procedure library are enhanced by including a specification of the use of their operational parameters into classes relating to attributes pertaining to data elements which can be passed as actual value in a computation, which computation only proceeds if the data attrib ⁇ utes and parameter classes match.
- This is an efficient way of veri- fication of access conditions both on data level and on function level for which a very efficient implementation exists.
- the data ex ⁇ change system is characterized in that the executive program comprises a reference to a default interac- tion context which is used to initialise the memory element storing a reference to the interaction context currently being in force, in order to carry out a final action after a detection of an internal inconsistency in a recovery to a normal state of operation or when ⁇ ever the executive program is active and no explicit interaction context has been specified by a communication primitive received from an opposite data processing unit.
- the data exchange system may be characterized in that the memory means comprises an interaction context dedicated to comprise Personal Identification Numbers and that the executive program is arranged to verify Per ⁇ sonal Identification Numbers supplied by a user of the data ex ⁇ change system.
- the Personal Identification Number management interaction context and the default context can be implemented as part of the same device holder application.
- Support of this appli ⁇ cation by most devices with which a device according to the inven ⁇ tion communicates would give the device owner the opportunity to review his personal data as stored in the device memory, for in ⁇ stance a smart card holder could be allowed to modify his PIN at any smart card terminal which provides an appropriate user inter ⁇ face.
- Each application description may comprise a list of numeric values which is constructed to provide identifiers for all interac ⁇ tion contexts and comprises at least a first numeric value indicat ⁇ ing an application type, a second numeric value indicating a unique identification of the entity providing the application, a third numeric value indicating the nature of the application description and further numbers each uniquely referring to one interaction con ⁇ text associated with the application description.
- the string of numeric values uniquely referring to an inter ⁇ action context provides a means of establishing interoperability between two communicating devices which is more efficient than is currently envisaged for e.g. smart cards in relegating to the application providing entity the responsibility to assign unique values to each interaction context while leaving assignment of unique numbers to entities and application to relevant bodies of sectoral and international co-operation respectively.
- the application providing entity can assign the unique context numbers to incorporate implementation version and secret key gener ⁇ ation information.
- the data communication means may be arranged to structure data exchange in blocks of data comprising at least two parts, a first part being data qualified as operational in that it is used to influence the nature of the operations performed by a command as indicated by a communication primitive or to influence the nature of data resulting from operations carried out, a second part being qualified as security in that it is used to determine the appropri ⁇ ateness of performing an operation or of the acceptability of data within the operational part, to be used in the operation or to prove completion of the operation or correctness of the resulting data.
- Such appropriateness, acceptability, proof and correctness being obtained by performing relevant cryptographic operations on the data.
- Authentication and data protection are thus made an inte ⁇ gral part of the command execution providing better security than obtainable in current systems e.g. smart cards.
- the executive program may be arranged to perform, upon accepting a communication primitive to perform operations specified in the current interaction context, each operation as part of a predetermined and fixed sequence of actions each of which is spec ⁇ ified separately as part of a procedural description associated to the accepted communication primitive, which actions comprise at least the following actions: a. authorization of the use of the communication primitive; b. decryption of operational data or any part of it; c. performing a command with any input data; d. encryption of any operational data resulting from any operation performed; e. computation of a proof of completion of any performed action or of correctness of the resulting data to be used in secur ⁇ ity computations.
- Security is further enhanced if the data processing unit generates a random transaction number upon initializing data trans ⁇ fer, which serves as basis for cryptographic computations.
- a random transaction number upon initializing data trans ⁇ fer, which serves as basis for cryptographic computations.
- one communication primitive may be assigned a specified value which will always be interpreted as a request to enter a new interaction context.
- the data exchange system is characterized in that it comprises a further data processing unit comprising the same elements as the data processing unit as well as an application programmers inter ⁇ face which consists of program code designed to allow additional computer programs to be implemented to give users control over the sequence of exchanged communication primitives or to influence the data transferred in them or to learn or further process the data received in the exchange.
- Development of software for systems according to the invention will benefit from the availability of an application programmers interface.
- the primitive used to enter a specified interaction context may comprise numeric values to be used in security calculations in subsequent communica ⁇ tions, a first value generated at random by one of the processing B units and a second value serving to identify said one processing unit.
- each communi ⁇ cation primitive may further be structured to consist of two or more numeric values which enhance the expressive power of the com ⁇ munication primitive for interpretation by the executive program.
- each communication primitive may be composed of two or more numeric values, a first value being used to refer to a procedural description of an action associated to the communication primitive, a second value being composed of a fixed number of binary values each of which is interpreted by the execu ⁇ tive program as a reference to a single data element.
- each communication primitive may be composed of two or more numeric values, a first value being used to refer to a procedural description of an action associated to the communication primitive, a second value being used to determine which of the data elements available for external reference in an active interaction context will be used while performing responding actions in such a way that any data element is selected if it con- tains a value that matches said second value.
- each communication primitive is com ⁇ posed of two or more numeric values, a first value being used to refer to a procedural description of an action associated to the communication primitive, a second value being composed of a number of binary values which are assigned specific meanings by the execu ⁇ tive program to be used in interpreting data formats in the commun ⁇ ication primitive and in performing responding actions.
- a specific application can be imple ⁇ mented that is dedicated to load other applications in the card.
- the applications once loaded in a card can be protected from the very application that loaded them.
- This protection gives parties involved in a multi application card scheme especially the card issuing entity and the application providing entities a basis for their business agreement. Being based on tangible things as the amount of storage needed on each card, the number of cards to be equipped and the duration of the application on the card instead of an abstract notion of "trust" and "good care" the application pro ⁇ viders contract is easier to formulate than in traditionally imple ⁇ mented smart cards.
- the card issuer and application pro ⁇ vider do not need to share secret keys and protect this sharing with contractual obligations and mutually agreed key transportation facilities.
- the application software if implemented based on the new technique has several benefits compared with prior art smart card operating systems: * A minimal exchange of data between a terminal and a card is needed to establish interoperability between card and ter ⁇ minal, e.g. they support the same application(s) . Values of data to be exchanged to this end can be structured as pro ⁇ posed in the draft international standard ISO 7816-5; * To complete a transaction between card and terminal the mini ⁇ mal number of data exchanges as theoretically inferred can actually be used, because the transaction is completed as a private computation, instead of the necessity to use a leng- thy sequence of standard commands;
- Figure 1 shows a prior art application design on smart cards based on an hierarchically organized collection of data elements
- figure 2 presents a diagram of the communication flow between a portable processing unit and a similar structured processing unit in a format currently accepted as standard
- figure 3 presents a basic implementation of the present in ⁇ vention using the concept of interaction contexts in portable pro ⁇ cessing units, such as smart cards, and card terminals
- figure 4 presents an example of a practical organization of an execution context, highlighting different relationships between procedural descriptions contained in the interaction context and data elements and library functions used while performing the pro ⁇ cedures
- figure 5 shows an example of a flow diagram of program execu- tion control and security context switches involved in performing the procedural description invoked by a communication primitive.
- the structure of data and files in prior art systems is de ⁇ picted in figure 1.
- a master file 1 which is connected to several elementary files 3 and one or more dedicated files 2.
- Each dedicated file 2 may be connected to one or more fur ⁇ ther dedicated files 2 and to one or more elementary files 3.
- the prior art uses a tree-like hierarchy of directories and files. The number of subordinate levels in the prior art structure is in prin ⁇ ciple unlimited.
- the terminology used in figure 1 is taken from the international proposed ISO standard 7816-4.
- the communication comprises a set of pairs of blocks. The communication starts with a reset signal m ⁇ from the data processing unit 4.
- Such a reset signal may be outside the communication bandwidth such as generated by power-on-logic in data processing unit 5.
- the portable data processing unit 5 responds with an answer to reset (ATR) signal ml possibly followed by con ⁇ tents. All subsequent pairs of blocks m2, m3, ..., m(n-1), mn con- sist of blocks headed by a communication primitive (e.g. a command) followed by contents.
- ATR reset
- Figure 3 shows the internal structure of two data processing units according to the invention which are communicating with each other by transmitting and receiving data.
- the left data processing unit 4 may be, among others, a terminal and the right data process ⁇ ing unit may be, among others, a portable data processing unit, e.g. a smart card.
- the invention is also applicable to two portable data processing units able to communicate with each other by appropriate communication means.
- Each of the data processing units 4, 5 comprises data com ⁇ munication means 7, 14 through which structured blocks of data can be exchanged.
- Each of the data processing units 4, 5 comprises pro- cessing means 8, 15, and memory means 9, 16.
- the memory means 9, 16 could be any configuration of read-only memory (ROM) , random access memory (RAM) and programmable read-only memory such as electrically erasable programmable read-only memory (EEPROM) .
- the memory means 9, 16 comprises an executive program 12, 17, here indicated by "MAXOS". If the portable data processing unit 5 is suitable for two or more applications, the memory means 9, 16 comprises two or more application descriptions 13(1) ... 13(n), 18(1) ... 18(n). There are as many application descriptions as there are applications of the data processing unit concerned. Each application description is indicated by “CSA”. The second applica ⁇ tion description 13(2), 18(2) has been shown on an enlarged scale in figure 3 to allow display of the contents of each application description. Each application description 13(i), 18(i) comprises at least one "interaction context" 11(1) ... 11(m), 19(1) ... 19(m). Each interaction context is indicated by "CTA".
- Each interaction context contains: a set of commands specifying the communication primitives recognized by the interaction context and referencing appro ⁇ priate procedures specified in a set of procedures; a set of data; a set of data references to date residing in other interac ⁇ tion contexts if any; - a set of procedures that may be performed by the executive program 12, 17; a set of access conditions to the data elements; a set of external references referring to data elements to be used in commands issued by the other data processing unit; - optionally, developer specified other lists.
- the memory means 9, 16 comprises a memory element 21, 20 that contains a reference to the "current CTA", i.e. the interaction context currently in force.
- the intention of several interaction contexts within one application description is to provide a functional separation in possible interactions between the data processing units 4, 5. This is especially relevant when the functional separation is also a separation in security conditions.
- An example may be a first inter ⁇ action between a smart card and a terminal to open, for instance, a door and a second interaction when programming doors that are allowed to be opened.
- the second interaction needs a better secur ⁇ ity than the first interaction and is assigned its own interaction context.
- To obtain access to the interaction context is the first step in assuring the security of the operations that may be executed within the interaction context.
- Figure 4 shows a practical approach to implementation of the context mechanism displayed as a memory organization model which shows the relations between data elements, access conditions and procedures.
- the structure of figure 4 applies whenever there are two or more applications of the portable data processing unit 5. If there is only one application the structure is strongly simplified, as will be explained later.
- the reference numbers of the data processing unit 5 are depicted. However, the structure of figure 4 is likewise applicable to the memory means 9 of the data processing unit 4.
- data element descriptions and pro ⁇ cedure descriptions are optimally organized to reflect sharing of program code and sharing of data between different interaction con- texts (CTA's) which make up one application (CSA) .
- CTA's interaction con- texts
- CSA application
- the memory means 16 comprise data elements H(1) ... H(7), executable code elements G(1) ... G(5) which are part of the oper ⁇ ating system, and application descriptions 18(1), 18(2) (CSA1 , CSA2).
- data and code which are internal to the operat- ing system are left out.
- the number of data elements, executable code elements and application descriptions as presented in figure 4 is only given by way of example: the numbers may vary as required in reality.
- Each application description 18(1), 18(2) is physically pres- ent in the memory means. They provide a first bottom layer of ab ⁇ straction to reflect memory use.
- Each application description 18(1), 18(2) consists of: a procedure library consisting of units of executable code F(1) ... F(4) that may refer to units of executable code of the operating system made available for this purpose, as in ⁇ dicated by arrows p(1) ... p(5); a list of data elements E(1) E(7) to be used by proce- dures within the interaction contexts 19(1) 19(2) within the present application description 18.
- This data list com ⁇ prises data access conditions and pointers q(1) ... q(7) to storage areas holding data elements; an interaction context list comprising a number of interac- tion context descriptions 19(1), 19(2).
- the number of elements within the procedure library, the list of data elements and the interaction context list within the appli ⁇ cation description 18(1) as shown in figure 4 is for presentation purposes only. Of course, the number of elements may vary depending on the desired application.
- Interaction contexts 19(1), 19(2) are physically present in the memory means storing the application description 18(1). Logi ⁇ cally, the interaction contexts provide a second layer of memory use control. The combined control provided by this second layer and the application description layer gives an effective implementation of an execution context mechanism for portable data processing units, such as smart cards.
- Each interaction context 19(1), 19(2) comprises: a list of procedural descriptions C(1) ... C(5). These pro- cedure descriptions may refer to procedural descriptions in the procedure library within the application description 18 as indicated by example arrows s(1), s(2). Alternatively these procedural descriptions may refer to executable code elements G(1) ... G(5) provided by the operating system, as indicated by example arrow t(1).
- these procedural descriptions may contain explicit references to any data elements which are used by the procedure during execution and which are present in the data list of the application description 18 concerned, as indicated by arrows r(1) ... r(6); a data list containing data elements B(1) ... B(5) exclusive ⁇ ly available for use by the procedures in the interaction context concerned.
- Data elements are represented as refer- ences to the data list of the application description 18 concerned with associated access conditions to adhere to when accessing the actual data, as indicated by arrows u(1) ... u(5); - an external interface list comprising communication primi ⁇ tives A(1) ... A(4) which are accepted as commands by the interaction contexts 19(1), 19(2) concerned.
- Each command within a communication primitive refers to a member of the procedural descriptions C(1) ... C(5) of the procedure list within the interaction context concerned, as indicated by arrows v(1) ... v(4).
- the commands when issued by the com ⁇ municating device 4 may refer to elements in the data list of the application description by one or more addresses fol ⁇ lowing the command. Each command may be accompanied by data elements as input to the command processing.
- the number of addresses as given here is by example only and is determined for each command as required in reality.
- Any external command within a communication primitive A(1) ... A(4) can only address data elements referenced in the data list of the interaction context 19 concerned. Access is only allowed if the access conditions are met. These access condi ⁇ tions specify the type of access that is allowed for the command; such an access condition may be no access, read-only access, read- and-write access, and secret key use. Other access conditions may be applied too.
- the command of communication primitive A(1) may have read-only access to data element B(2) through refer ⁇ ence arrow w(2), while the command of communication primitive A(2) has read-and-write access to the same data element B(2) through reference arrow w(3).
- Procedural descriptions C(1) ... C(5) can refer to data ele ⁇ ments in the data list of the application description 18 concerned and no others. Again, access is only provided if the access condi ⁇ tion is met. These access conditions also specify the type of access that is allowed: for instance, no access, read-only access, read-and-write access, and secret key use. Access conditions for different procedural descriptions within the same interaction con ⁇ text 19 may differ for the same application description data list element E(1) ... E(7), e.g. reference arrow r(1) may represent a read-only access condition, whereas reference arrow r(2) may repre ⁇ sent a read-and-write access condition.
- Access conditions are checked on the relevant level, i.e. application description level or interaction context level and only once.
- An element B(1) B(5) of the data list within an interac ⁇ tion context 19(1), 19(2) refers directly by arrow u(1) ... u(5) to the pointer of a data element in the data list of the application description 18(1) because the access conditions are already met in the data list element E(1) E(7) of the ' application description
- G(5) may be referred to by any of the application descriptions 18(1) ... stored within the memory means 16. These last references of other application des ⁇ cription than application description 18(1) to the common codes G(1) ... G(5) are not explicitly indicated in figure 4. However, any person skilled in the art can easily extend the structure of figure 4 to two or more application descriptions 18(1), 18(2),... . After having explained how data elements may be protected by the use of access conditions of different kinds, now, memory man ⁇ agement provisions will be explained. For memory management, it is desirable that alterable data (data elements) and not alterable data (operating system code) can be managed by the operating system separately.
- the memory reference model as shown in figure 4 pro ⁇ vides a separation of code and data elements within the memory means 16 which are referred to by pointers q(1) ... q(7), p(1) ... p(5) from the data list and the procedure library, respectively, within the application description 18 concerned.
- Data list elements within each interaction context 19(1), 19(2) only contain referen ⁇ ces to these pointers and no direct references to the codes G(1) ... G(5), and the data elements H(1) ... H(7) within the memory means 16.
- the data list of the application description 18 concerned provides the level of indirection required by the operating system to perform memory management.
- Code duplication is avoided by providing common code libra ⁇ ries on two levels: "command bodies" like procedural description C(3) which refer to code element F(2) in the procedure library in application description 18(1) in order to share common codes among different interaction contexts.
- the body of procedural description (3) also refers directly to a code G(3) stored in the memory means 16 and provided by the operating system. All units of executable code G(1) ... G(5) provided by the operating system are implemented for efficient execution.
- the memory structure according to figure 4 is also applicable in situations where only one application of the data processing unit 5 is provided for.
- the only application description 18(1) may even coincide with one interac ⁇ tion context 19(1), which interaction context then contains at least the following coherent data structure: a. a set of basic communication primitives A(1) ... which are accepted whenever the data processing unit 5 communicates with a similar unit 4, said primitives at least including a primitive used to selectively enter one of the said at least one interaction contexts; b.
- a set of procedural descriptions C(1) defining the actions to be performed in response to each of the accepted communication primitives A(1) ..., at least comprising a first procedural description to be performed upon activating the interaction context, and a last procedural description to be performed immediately before deactivating the context;
- c. a, possibly empty, set of data elements H(1) either per ⁇ manently stored or computed, which are available for use when procedures as defined in the procedural descriptions C(1) ... are performed;
- a, possibly empty, data list comprising a list of references to data elements which are available for explicit reference as part of a communication primitive to be used by the pro ⁇ cedural description associated with the communication primi- tive; f. a set of access conditions associated to the data elements which are referenced in association to the procedural des ⁇ criptions; g. a set of access conditions associated to the list of data references B(1) ... in the data list.
- each application description comprises: a. a data list comprising references E(1) ... to data elements, which references may be accessible to two or more interaction contexts 19(1) ... and may be extended by additional data elements; b. a further set of access conditions associated to said refer- ences E(1) ... or to said additional data elements and defin ⁇ ing restrictions of use.
- the set of procedural descriptions in each of the two or more interaction context descriptions also contains an additional last procedural description to be performed immediately before deactiv ⁇ ating the context.
- Figure 5 represents the flow of control in the executive pro ⁇ gram defined above by "MAXOS" (12,17).
- step 30 the software starts with processing a reset code in step 30.
- step 31 the kernel operations security level of the data processing unit is entered. The access conditions describing this level are stored in an unmodifiable part of memory, e.g. ROM or hardware logic.
- step 32 the non-volatile memory is checked for consistency and any modifications which might have been left unfinished by sudden power down, e.g. by extraction of a smart card, are cancelled.
- Non-volatile memory consistency check only in ⁇ volves examining state information stored in memory and computing check sums. The content of memory, if accessed at all, is only used to compute check sums. Thus, the consistency check is a safe oper- ation.
- step 33 if the executing environment is thus declared safe, the secure application security level of the data processing unit is entered. In this level any access to memory pertaining the kernel operations is blocked. Access to application data and des ⁇ cription from this level is exclusively provided through routines in the kernel which maintain state information on ongoing memory operations.
- step 34 application data element descriptors are used to check consistency of stored data with the descriptor and memory is changed if in a state inconsist ⁇ ent with the attribute as described.
- An answer to reset (ATR) mess ⁇ age is composed from application identifiers stored in the applica- tion descriptors and completed with a transaction number computed to be unpredictable by the receiving other data processing unit 4.
- ATR reset
- a terminal command is gener ⁇ ated to activate a default interaction context.
- this inter ⁇ nal context activation command is executed to provide an interac ⁇ tion context for subsequent commands.
- the ATR message clearly indi ⁇ cates the readiness of the data processing unit 5 to accept further commands.
- the default interaction context can be designed as part of a "smart card holder application" which is present as one stan ⁇ dard application in all multi-application smart cards.
- the user i.e. the smart card holder, can review his personal data or open any of the other applications on the card.
- the interaction context (CTA) security level is entered for the stan ⁇ dard smart card holder CTA.
- step 38 After having established that a communication primitive is received in step 36 and is estab ⁇ lished to be acceptable in step 37, it is tested whether a new application has to be activated. If not, step 39 is entered in which the command is checked to determine whether it is allowed and the input data can be accepted. These checks are performed for a command only if specified in the application descriptor. Also a de ⁇ cryption of input data may be carried out in step 39. If the test succeeds the "data access protection level" is entered, step 40.
- rou ⁇ tines may be executed which are coded by application providers, step 41. Such routines are stored in the application descriptor and function as an application specific reaction to a specific command issued by the other data processing unit 4. This security level constrains memory access to a subset specifically defined for the command being executed.
- step 42 After carrying out the command with the submitted input data in step 41, the data access protection level is left, step 42.
- step 43 Output data and (cryptographic) proof of command completion is generated in step 43.
- the program waits for new communication primitives, step 36. If no special command routine is defined and the command can be executed by procedures consisting solely of operating system functions the data access protection level (step 40) is not enter ⁇ ed, and the command will be performed on the interaction context security level directly as the operating system routines are designed not to violate any data protection.
- step 38 If, in step 38, it is established that no new application is to be activated the program proceeds with step 44 in which a con ⁇ text de-activation procedure is performed.
- step 45 the current application specific security level is left and, in step 46, within the security level of the executive program "MAXOS" the data accom ⁇ panying the command are checked.
- step 47 If the command is allowed by proper authentication as spec ⁇ ified for the requested application a new application specific CTA security level is entered, step 47. This level restricts access to data pertaining to the newly opened application.
- the data processing unit 5 produces data in response to a context activation command by executing an initialization instruc ⁇ tion as defined in the procedure list, step 48. If such an applica ⁇ tion provider coded routine is present the data access protection level is entered in step 49. The context activation procedure is performed in step 50. In step 51 the data access protection level is left and the response is communicated to the other data process ⁇ ing unit 4 and the data processing unit 4 itself is ready to receive a new command after step 43, specified above.
- the codes in the procedure library within each application description 18(1), 18(2) may be enhanced by including a specifica- tion of the use of their operational parameters into classes relat ⁇ ing to attributes pertaining to data elements which can be passed as actual value in a computation, which computation only proceeds if the data attributes and parameter classes match. This provides one way to verify access conditions both to data elements and to functions. Comparing properly encoded bit maps of data attributes and parameter classes respectively may provide an efficient imple ⁇ mentation for this additional technique.
- the executive program 12, 17 may comprise a reference to an interaction context which is used to initialize the current inter ⁇ action context in the memory element 20 storing a reference to the interaction context currently being in force.
- This default inter ⁇ action context may well be one such context contained in the card- holder application as described above.
- the memory means 9, 16 may comprise an interac ⁇ tion context 11, 19 dedicated to comprise personal identification numbers (PIN's) and the executive program 12, 17 is arranged to verify personal identification numbers supplied by a user of the data exchange system.
- PIN's personal identification numbers
- passwords may be used.
- One such password may be used to protect use of the device in transactions where privacy sensitive data can be revealed.
- a second password may be used to protect transactions where data representing a value payable by the password holder is communicated.
- a third password may be used to protect transactions where operations are performed deemed critical to the security of the application such as modes of protection being called upon as specified within each of the interaction contexts 11, 19 that may require it. Further passwords may be provided for.
- This PIN manage- ment interaction context may well be one such context contained in the card-holder application as described above.
- Each application description 13, 18 may comprise a list of numeric values which is constructed to provide identifiers for all interaction contexts 11, 19 and each application description 13, 18 may comprise at least a first numeric value indicating an applica ⁇ tion type, a second numeric value indicating a unique identifica ⁇ tion of the entity providing the application, a third numeric value indicating the nature of the application description 13, 18 and further numbers each uniquely referring to one interaction context 11, 19.
- the first two numbers may be assigned according to rules well established in the trade, whereas the remaining numbers may be chosen by the application providing entity as deemed appropriate. Especially it may assign numeric values to distinguish between dif ⁇ ferent version of the implementation or to identify the generation of the set of cryptographic keys employed by the application in its cryptographic computations.
- the device may include in the answer to reset message a list for each of the interaction con- texts 11, 19 contained in its memory means an identification number composed of the unique identification values stored with the inter ⁇ action context.
- the first element in the list of interaction con ⁇ text identification numbers may be an identification for the default context.
- the data communication means 7, 1 are preferably arranged to structure data exchange in blocks of data. These blocks of data comprise at least two parts, a first part being data qualified as operational in that it is used to influence the nature of the oper ⁇ ations performed by a command as indicated by a communication pri- mitive or data resulting from operations carried out. A second part will be qualified as security in that it is used to determine that appropriateness of performing an operation or of the acceptability of data within the operational part to be used in the operation or to prove completion of the operation or correctness of the revealed data.
- the executive program 17 may be arranged to perform, upon accepting a communication pri ⁇ mitive to perform operations specified in the current interaction context 20, 21, each operation as part of a predetermined and fixed sequence of actions, each of which is specified separately as part of a procedure description rule associated to the accepted communi ⁇ cation primitive.
- a first action may be specified as a function to authorize the use of the communication primitive at this point in the sequence of communications.
- a second action may be specified as a function to decrypt the operational data or any part of it, whereas a third action may be specified as the operational proce ⁇ dure proper.
- a fourth part may be specified to encrypt any oper ⁇ ational data which results from the operations performed and a fifth action may be specified as a function to compute a proof of completion of the performed action or of correctness of the result ⁇ ing data or to be used in security computations in the receiving data processing unit. These actions are reflected by the flow dia- gram of figure 5.
- the data processing unit 5 may include in its answer to reset message a number chosen to be unpredictable in value by the receiving data processing unit 4, which can serve as the basis for cryptographic computations. Such a number may be designated as the "card transaction number.”
- This communica ⁇ tion primitive may be designated as the "activation command".
- the data accompanying the activation command sufficiently specifies the context to be activated possibly by referring to the identification numbers communicated as part of the answer to reset message.
- the actions performed in responding to the activation command are firstly described by the procedural description contained in the context accepting the primitive designated as for deactivation and secondly described in the procedural description designated for activation contained in the context specified as to be entered.
- the communication primitive used to enter a spec ⁇ ified interaction context 11, 19 comprises numeric values to be used in security calculations in subsequent communications.
- a first random value may be generated by one of the processing units 4, 5 and a second value may serve to identify that one processing unit. This identification might be the result of computations, which are such that the resulting value sufficiently identifies the device and the state of its memory as required by computations or other actions which might be done in subsequent exchanges of data in the interaction context 11, 19 to be activated.
- Said second value may be designated as "terminal identification".
- the activation command gives as part of the resulting data a numeric value serving to identify the particular responding data processing unit sufficiently as required by compu ⁇ tations or other actions which might be done in subsequent ex ⁇ changes of data in the context just being activated, which number may be designated as "smart card identification".
- the smart card identification number may be computed using cryptographic functions from data stored in the data process ⁇ ing unit 5 or from the data received as part of the activation co - mand in such a way that the number varies in unpredictable manner when computed in response to activation commands received from initiating devices with differing terminal identification numbers; a smart card identification thus computed can be designated as the "smart card pseudonym".
- the executive program may perform a cryptographic computation specified as part of the procedural des ⁇ cription in that context designated to be performed upon activation to determine whether the context may be activated.
- the computations may involve use of the smart card transaction identification, ter ⁇ minal transaction identification and terminal identification and other values stored in the memory means.
- each communication primitive is composed of two or more numeric values, a first value being used to refer to a procedural description of an action associated to the communication primitive, a second value being composed of a fixed number of binary values each of which is interpreted by the executive program 12, 17 as a reference to a single data element.
- This data element is specified in the list of external data references in the interaction context 11, 19 concern ⁇ ed, each data element in the list being specified by the presence of a binary value of one of the binary numbers in a corresponding position in the list of binary values.
- This second value may be designated as the "operand addresses”.
- each of the data elements which are so specified are made available by the operating execu ⁇ tive program 12, 17 to be used in the responding action in a manner as may be described in the procedural description of that action.
- a command format with data match specification of data ele ⁇ ments may be applied.
- each communication primitive is composed of two or more numeric values, a first value being used to refer to a procedural description of an action associated to the communication primitive, a second value being used to determine which of the data elements available for external reference in an active interaction context 12, 19 will be used while performing responding actions in such a way that any data element is selected if it contains a value that matches said second value.
- This second value may be designated as the "operand tag specifier”.
- the interaction context 11, 19 may contain a procedural des- cription indicating in what way an operand tag specifier given as part of a command is to be compared with data contained in any of the data elements available for external reference in that context, which procedural description, is performed to select the intended data elements before the procedural description is performed spec- ifying the command actions proper.
- each communi ⁇ cation primitive is composed of two or more numeric values, a first value being used to refer to a procedural description of an action associated to the communication primitive, a second value being composed of a number of binary values which are assigned specific meaning by the executive program 12, 17 to be used in interpreting data formats in the communication primitive and in performing res ⁇ ponding actions.
- the second value may be designated as "com- mand modifier”. The values are recognized for their assigned mean ⁇ ing by all units equipped with this additional technique.
- the command modi ⁇ bomb may include a binary value which determines whether a third part of the command is to be used as operand address or as operand tag specifier.
- the command modifier may, as an alterna ⁇ tive, include a binary value which determines whether the operation performed as response to the command will use data as one data ele ⁇ ment or is composed of a concatenation of data elements one to be processed in conjunction with each data element specified as part of the command value using operand addresses or the operand tag specifier.
- the command modifier may include a binary value which determines whether data provided with the command is encoded using the tag-length-value method to discriminate success- ive concatenated data elements.
- command modi ier may include a binary value which determines whether performing the action implied by the command will actually lead to effective change of data stored in the data processing unit 5 (smart card) or actually result in data computed by the data processing unit 5, or that the command result is data reflecting the state of the unit with regard to the acceptability of the command, the data accompanying it, the size of the data which could result from computations or other sundry attributes.
- the new technique introduced above especially suit ⁇ able for implementation in smart cards is the concept of a separate execution environment.
- the processing means and other resources in a computer are shared between different applica- tions as if the application was the only user of the computer.
- a mechanism is provided to define multiple access condi ⁇ tions for data shared by a number of related applications.
- a second technique supported by the separate execution environments and introduced above is the possibility to define the functional mean ⁇ ing of commands in each environment to obtain a minimum number of commands in each interaction between two similar data processing units 4> 5 within a data exchange system.
- names referring to stored data elements to be assigned within each context separately.
- the reference to stored data elements as part of a command received from one of the data processing units 4, 5 can thus be made very efficient: due to the very small number of data elements and small number of distinct operations that is used in today's smart card practice in each en- vironment separately only a few bits are needed to encode the name and instruction space. In a similar fashion access conditions, methods of verification thereof and cryptographic operations avail ⁇ able to that end in actual smart cards will be very restricted in number and they can be expressed very efficiently in the two tier hierarchy of interaction context descriptions 19(1) ... enclosed in application description 18.
Abstract
Description
Claims
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP7521126A JPH09508733A (en) | 1994-02-08 | 1995-02-08 | Data exchange system with portable data processing unit |
US08/676,347 US5802519A (en) | 1994-02-08 | 1995-02-08 | Coherent data structure with multiple interaction contexts for a smart card |
AU15460/95A AU681754B2 (en) | 1994-02-08 | 1995-02-08 | Data exchange system comprising portable data processing units |
CA002182783A CA2182783C (en) | 1994-02-08 | 1995-02-08 | Data exchange system comprising portable data processing units |
RU96118111A RU2148856C1 (en) | 1994-02-08 | 1995-02-08 | Information exchange system |
FI963111A FI117990B (en) | 1994-02-08 | 1996-08-07 | An information exchange system comprising portable computing units |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP94200236.1 | 1994-02-08 | ||
EP94200236A EP0666550B1 (en) | 1994-02-08 | 1994-02-08 | Data exchange system comprising portable data processing units |
Publications (1)
Publication Number | Publication Date |
---|---|
WO1995022126A1 true WO1995022126A1 (en) | 1995-08-17 |
Family
ID=8216620
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/NL1995/000055 WO1995022126A1 (en) | 1994-02-08 | 1995-02-08 | Data exchange system comprising portable data processing units |
Country Status (13)
Country | Link |
---|---|
US (2) | US5802519A (en) |
EP (1) | EP0666550B1 (en) |
JP (1) | JPH09508733A (en) |
KR (2) | KR100386154B1 (en) |
CN (1) | CN1079968C (en) |
AT (1) | ATE152539T1 (en) |
AU (1) | AU681754B2 (en) |
CA (2) | CA2466650A1 (en) |
DE (1) | DE69402955T2 (en) |
FI (1) | FI117990B (en) |
NZ (1) | NZ278967A (en) |
RU (1) | RU2148856C1 (en) |
WO (1) | WO1995022126A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998009257A1 (en) * | 1996-08-30 | 1998-03-05 | Gemplus S.C.A. | A system and method for loading applications onto a smart card |
WO2003034281A1 (en) * | 2001-10-19 | 2003-04-24 | Intel Zao | Method and apparatus to provide a hierarchical index for a language model data structure |
US8594112B2 (en) | 2006-03-31 | 2013-11-26 | Qualcomm Incorporated | Memory management for high speed media access control |
US8737981B2 (en) | 2002-12-19 | 2014-05-27 | Qualcomm Incorporated | Downloadable configuring application for a wireless device |
Families Citing this family (123)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
ATE152539T1 (en) * | 1994-02-08 | 1997-05-15 | Belle Gate Invest Bv | DATA EXCHANGE SYSTEM WITH PORTABLE DATA PROCESSING UNITS |
DK0757336T3 (en) * | 1995-08-04 | 2001-03-19 | Belle Gate Invest B V | Data Exchange System comprising portable data processing units |
US6385645B1 (en) | 1995-08-04 | 2002-05-07 | Belle Gate Investments B.V. | Data exchange system comprising portable data processing units |
EP0790551A1 (en) * | 1996-02-16 | 1997-08-20 | Koninklijke KPN N.V. | Method of modifying the instruction set of a smart card |
FR2748834B1 (en) * | 1996-05-17 | 1999-02-12 | Gemplus Card Int | COMMUNICATION SYSTEM ALLOWING SECURE AND INDEPENDENT MANAGEMENT OF A PLURALITY OF APPLICATIONS BY EACH USER CARD, USER CARD AND CORRESPONDING MANAGEMENT METHOD |
FR2752071B1 (en) * | 1996-07-30 | 1998-12-18 | Thomson Csf | CHIP CARD READER WITH IMPROVED MAN-MACHINE INTERFACE |
TW357298B (en) * | 1996-09-12 | 1999-05-01 | Toshiba Corp | IC card portable terminal |
US6575372B1 (en) | 1997-02-21 | 2003-06-10 | Mondex International Limited | Secure multi-application IC card system having selective loading and deleting capability |
US6317832B1 (en) | 1997-02-21 | 2001-11-13 | Mondex International Limited | Secure multiple application card system and process |
US6328217B1 (en) | 1997-05-15 | 2001-12-11 | Mondex International Limited | Integrated circuit card with application history list |
US6164549A (en) | 1997-05-15 | 2000-12-26 | Mondex International Limited | IC card with shell feature |
US6385723B1 (en) | 1997-05-15 | 2002-05-07 | Mondex International Limited | Key transformation unit for an IC card |
US6220510B1 (en) | 1997-05-15 | 2001-04-24 | Mondex International Limited | Multi-application IC card with delegation feature |
US6488211B1 (en) | 1997-05-15 | 2002-12-03 | Mondex International Limited | System and method for flexibly loading in IC card |
US6230267B1 (en) | 1997-05-15 | 2001-05-08 | Mondex International Limited | IC card transportation key set |
JP3895830B2 (en) | 1997-06-18 | 2007-03-22 | インテリジェントディスク株式会社 | Storage medium having electronic circuit |
US20010044864A1 (en) * | 1997-06-18 | 2001-11-22 | Kabushiki Kaisha Optrom | Disk storage system having an electronic circuit mounted on the surface of the disk and control method thereof |
JPH117296A (en) | 1997-06-18 | 1999-01-12 | Oputoromu:Kk | Storage medium having electronic circuit and speech synthesizer having the storage medium |
TW389894B (en) | 1997-06-19 | 2000-05-11 | Optrom Kk | Device for exchanging information with storage medium having electronic circuit and the electronic circuit, and system including the same |
US6085976A (en) * | 1998-05-22 | 2000-07-11 | Sehr; Richard P. | Travel system and methods utilizing multi-application passenger cards |
FR2765362B1 (en) * | 1997-06-26 | 2001-08-17 | Bull Cp8 | SECURITY MODULE COMPRISING MEANS OF CREATING LINKS BETWEEN MAIN FILES AND AUXILIARY FILES |
US6736325B1 (en) | 1998-01-22 | 2004-05-18 | Mondex International Limited | Codelets |
US6357665B1 (en) | 1998-01-22 | 2002-03-19 | Mondex International Limited | Configuration of IC card |
US6101477A (en) * | 1998-01-23 | 2000-08-08 | American Express Travel Related Services Company, Inc. | Methods and apparatus for a travel-related multi-function smartcard |
US6981149B1 (en) | 1998-01-27 | 2005-12-27 | Spyrus, Inc. | Secure, easy and/or irreversible customization of cryptographic device |
US6742120B1 (en) | 1998-02-03 | 2004-05-25 | Mondex International Limited | System and method for controlling access to computer code in an IC card |
JPH11272825A (en) | 1998-03-24 | 1999-10-08 | Toshiba Corp | Method and device for managing access |
FI108197B (en) * | 1998-09-11 | 2001-11-30 | Nokia Mobile Phones Ltd | Method and arrangement for processing subscriber data in a mobile station |
WO2000019699A1 (en) | 1998-09-29 | 2000-04-06 | Sun Microsystems, Inc. | Superposition of data over voice |
FR2784479B1 (en) * | 1998-10-09 | 2000-11-17 | Bull Cp8 | PROTOCOL FOR INTERNAL DATA EXCHANGE BETWEEN APPLICATIONS OF A MULTI-APPLICATION PORTABLE OBJECT AND CORRESPONDING MULTI-APPLICATION PORTABLE OBJECT |
TW463107B (en) * | 1998-12-22 | 2001-11-11 | Ibm | Extended card file system |
US6256690B1 (en) * | 1999-01-15 | 2001-07-03 | Todd Carper | System and method for facilitating multiple applications on a smart card |
US6823520B1 (en) * | 1999-01-22 | 2004-11-23 | Sun Microsystems, Inc. | Techniques for implementing security on a small footprint device using a context barrier |
US6922835B1 (en) | 1999-01-22 | 2005-07-26 | Sun Microsystems, Inc. | Techniques for permitting access across a context barrier on a small footprint device using run time environment privileges |
US6633984B2 (en) | 1999-01-22 | 2003-10-14 | Sun Microsystems, Inc. | Techniques for permitting access across a context barrier on a small footprint device using an entry point object |
US6907608B1 (en) | 1999-01-22 | 2005-06-14 | Sun Microsystems, Inc. | Techniques for permitting access across a context barrier in a small footprint device using global data structures |
US7093122B1 (en) | 1999-01-22 | 2006-08-15 | Sun Microsystems, Inc. | Techniques for permitting access across a context barrier in a small footprint device using shared object interfaces |
US6848111B1 (en) * | 1999-02-02 | 2005-01-25 | Sun Microsystems, Inc. | Zero overhead exception handling |
US6880155B2 (en) * | 1999-02-02 | 2005-04-12 | Sun Microsystems, Inc. | Token-based linking |
US6845498B1 (en) * | 1999-05-11 | 2005-01-18 | Microsoft Corporation | Method and apparatus for sharing data files among run time environment applets in an integrated circuit card |
EP1179209A1 (en) * | 1999-05-11 | 2002-02-13 | Microsoft Corporation | Method and apparatus for sharing data files among runtime environment applets in an integrated circuit card |
US6769053B1 (en) | 1999-06-10 | 2004-07-27 | Belle Gate Investment B.V. | Arrangement storing different versions of a set of data in separate memory areas and method for updating a set of data in a memory |
DE19929164A1 (en) * | 1999-06-25 | 2001-01-11 | Giesecke & Devrient Gmbh | Method for operating a data carrier designed for executing reloadable function programs |
US6654762B2 (en) | 1999-08-16 | 2003-11-25 | International Business Machines Corporation | Generating small footprint applications for mobile devices |
FR2797968B1 (en) * | 1999-08-24 | 2001-10-12 | Schlumberger Systems & Service | DEVICE AND METHOD FOR LOADING CONTROLS IN AN INTEGRATED CIRCUIT CARD |
DE19951087A1 (en) * | 1999-10-23 | 2001-04-26 | Roland Setzer | Management and processing method for electronically and optically readable cards, such as credit cards, telephone cards and membership cards, involves writing number of individual card |
WO2001040910A1 (en) | 1999-12-06 | 2001-06-07 | De Jong, Eduard, Karel | Computer arrangement using non-refreshed dram |
KR100699236B1 (en) | 1999-12-07 | 2007-03-27 | 선 마이크로시스템즈 인코포레이티드 | Secure photo carrying identification device, as well as means and method for authenticating such an identification device |
ATE378679T1 (en) | 1999-12-07 | 2007-11-15 | Sun Microsystems Inc | COMPUTER READABLE MEDIUM HAVING A MICROPROCESSOR FOR READING CONTROL AND COMPUTER ARRANGEMENT FOR COMMUNICATION WITH SUCH A MEDIUM |
US6802007B1 (en) | 2000-04-24 | 2004-10-05 | International Business Machines Corporation | Privacy and security for smartcards in a method, system and program |
CA2416844A1 (en) | 2000-07-20 | 2002-01-31 | Belle Gate Investment B.V. | Method and system of communicating devices, and devices therefor, with protected data transfer |
US20020044655A1 (en) * | 2000-10-18 | 2002-04-18 | Applebaum David C. | Information appliance and use of same in distributed productivity environments |
US6824064B2 (en) * | 2000-12-06 | 2004-11-30 | Mobile-Mind, Inc. | Concurrent communication with multiple applications on a smart card |
GB0106082D0 (en) * | 2001-03-13 | 2001-05-02 | Mat & Separations Tech Int Ltd | Method and equipment for removing volatile compounds from air |
EP1402356A2 (en) * | 2001-07-03 | 2004-03-31 | Research In Motion Limited | System and method of object-oriented persistence |
US6588674B2 (en) | 2001-07-27 | 2003-07-08 | Motorola, Inc. | Memory management method and smartcard employing same |
AU2002340138A1 (en) * | 2001-10-09 | 2003-04-22 | Joanna Sandorffy | System and method for conducting a financial transaction using a communication device |
US7085840B2 (en) * | 2001-10-29 | 2006-08-01 | Sun Microsystems, Inc. | Enhanced quality of identification in a data communications network |
US20030084171A1 (en) * | 2001-10-29 | 2003-05-01 | Sun Microsystems, Inc., A Delaware Corporation | User access control to distributed resources on a data communications network |
US7275260B2 (en) * | 2001-10-29 | 2007-09-25 | Sun Microsystems, Inc. | Enhanced privacy protection in identification in a data communications network |
US20030084302A1 (en) * | 2001-10-29 | 2003-05-01 | Sun Microsystems, Inc., A Delaware Corporation | Portability and privacy with data communications network browsing |
US7496751B2 (en) * | 2001-10-29 | 2009-02-24 | Sun Microsystems, Inc. | Privacy and identification in a data communications network |
US7243853B1 (en) | 2001-12-04 | 2007-07-17 | Visa U.S.A. Inc. | Method and system for facilitating memory and application management on a secured token |
US6912633B2 (en) * | 2002-03-18 | 2005-06-28 | Sun Microsystems, Inc. | Enhanced memory management for portable devices |
US7010783B2 (en) * | 2002-03-18 | 2006-03-07 | Sun Microsystems, Inc. | Method and apparatus for deployment of high integrity software using reduced dynamic memory allocation |
US20030177366A1 (en) * | 2002-03-18 | 2003-09-18 | Sun Microsystem, Inc., A Delaware Corporation | Method and apparatus for dynamic personal identification number management |
US7181737B2 (en) * | 2002-03-18 | 2007-02-20 | Sun Microsystems, Inc. | Method and apparatus for deployment of high integrity software using static procedure return addresses |
US6996802B2 (en) * | 2002-03-18 | 2006-02-07 | Sun Microsystems, Inc. | Method and apparatus for deployment of high integrity software using initialization order and calling order constraints |
US7167843B2 (en) * | 2002-06-05 | 2007-01-23 | Sun Microsystems, Inc. | Apparatus for private personal identification number management |
US7596531B2 (en) * | 2002-06-05 | 2009-09-29 | Sun Microsystems, Inc. | Method and apparatus for protecting against side channel attacks against personal identification numbers |
US7162456B2 (en) * | 2002-06-05 | 2007-01-09 | Sun Microsystems, Inc. | Method for private personal identification number management |
JP4185715B2 (en) * | 2002-06-28 | 2008-11-26 | 大日本印刷株式会社 | IC card and IC card program |
US8010405B1 (en) | 2002-07-26 | 2011-08-30 | Visa Usa Inc. | Multi-application smart card device software solution for smart cardholder reward selection and redemption |
US20040122774A1 (en) * | 2002-08-02 | 2004-06-24 | Martin Studd | Method and system for executing applications on a mobile device |
US8626577B2 (en) | 2002-09-13 | 2014-01-07 | Visa U.S.A | Network centric loyalty system |
US8015060B2 (en) | 2002-09-13 | 2011-09-06 | Visa Usa, Inc. | Method and system for managing limited use coupon and coupon prioritization |
US7121456B2 (en) | 2002-09-13 | 2006-10-17 | Visa U.S.A. Inc. | Method and system for managing token image replacement |
US20040148224A1 (en) * | 2002-09-13 | 2004-07-29 | Visa U.S.A. | Method and apparatus for electronic support and delivery of multiple lottery and sweepstake programs, in substantially off-line environments |
US9852437B2 (en) | 2002-09-13 | 2017-12-26 | Visa U.S.A. Inc. | Opt-in/opt-out in loyalty system |
US20040139021A1 (en) | 2002-10-07 | 2004-07-15 | Visa International Service Association | Method and system for facilitating data access and management on a secure token |
US6920611B1 (en) | 2002-11-25 | 2005-07-19 | Visa U.S.A., Inc. | Method and system for implementing a loyalty merchant component |
US7222331B2 (en) * | 2003-01-16 | 2007-05-22 | Sun Microsystems, Inc. | Linking of virtual methods |
US7281244B2 (en) * | 2003-01-16 | 2007-10-09 | Sun Microsystems, Inc. | Using a digital fingerprint to commit loaded data in a device |
US8121955B2 (en) | 2003-01-16 | 2012-02-21 | Oracle America, Inc. | Signing program data payload sequence in program loading |
US20040143739A1 (en) * | 2003-01-16 | 2004-07-22 | Sun Mircosystems, Inc., A Delaware Corporation | Run time code integrity checks |
US7165246B2 (en) * | 2003-01-16 | 2007-01-16 | Sun Microsystems, Inc. | Optimized representation of data type information in program verification |
US7484095B2 (en) * | 2003-01-16 | 2009-01-27 | Sun Microsystems, Inc. | System for communicating program data between a first device and a second device |
US7272830B2 (en) * | 2003-01-16 | 2007-09-18 | Sun Microsystems, Inc. | Ordering program data for loading on a device |
US7703128B2 (en) | 2003-02-13 | 2010-04-20 | Microsoft Corporation | Digital identity management |
US20040199787A1 (en) * | 2003-04-02 | 2004-10-07 | Sun Microsystems, Inc., A Delaware Corporation | Card device resource access control |
US7827077B2 (en) | 2003-05-02 | 2010-11-02 | Visa U.S.A. Inc. | Method and apparatus for management of electronic receipts on portable devices |
US7373522B2 (en) * | 2003-05-09 | 2008-05-13 | Stmicroelectronics, Inc. | Smart card with enhanced security features and related system, integrated circuit, and methods |
US8554610B1 (en) | 2003-08-29 | 2013-10-08 | Visa U.S.A. Inc. | Method and system for providing reward status |
US7104446B2 (en) * | 2003-09-03 | 2006-09-12 | Visa U.S.A., Inc. | Method, system and portable consumer device using wildcard values |
US7051923B2 (en) | 2003-09-12 | 2006-05-30 | Visa U.S.A., Inc. | Method and system for providing interactive cardholder rewards image replacement |
US20050071226A1 (en) * | 2003-09-30 | 2005-03-31 | Visa U.S.A. Inc. | Method and system for managing dynamic terms and conditions and user interaction |
US8005763B2 (en) | 2003-09-30 | 2011-08-23 | Visa U.S.A. Inc. | Method and system for providing a distributed adaptive rules based dynamic pricing system |
US8407083B2 (en) | 2003-09-30 | 2013-03-26 | Visa U.S.A., Inc. | Method and system for managing reward reversal after posting |
US7653602B2 (en) | 2003-11-06 | 2010-01-26 | Visa U.S.A. Inc. | Centralized electronic commerce card transactions |
US7661123B2 (en) | 2003-12-05 | 2010-02-09 | Microsoft Corporation | Security policy update supporting at least one security service provider |
US7191288B2 (en) | 2004-02-24 | 2007-03-13 | Sun Microsystems, Inc. | Method and apparatus for providing an application on a smart card |
US7374099B2 (en) * | 2004-02-24 | 2008-05-20 | Sun Microsystems, Inc. | Method and apparatus for processing an application identifier from a smart card |
US7165727B2 (en) * | 2004-02-24 | 2007-01-23 | Sun Microsystems, Inc. | Method and apparatus for installing an application onto a smart card |
US7140549B2 (en) * | 2004-02-24 | 2006-11-28 | Sun Microsystems, Inc. | Method and apparatus for selecting a desired application on a smart card |
US7984488B2 (en) | 2004-04-09 | 2011-07-19 | Microsoft Corporation | Credential roaming in electronic computing systems |
WO2006005773A1 (en) * | 2004-06-09 | 2006-01-19 | Microelectronica Española, S.A.U | Method and device for sharing information between memory parcels in limited resource environments |
US20060047954A1 (en) * | 2004-08-30 | 2006-03-02 | Axalto Inc. | Data access security implementation using the public key mechanism |
US20060253497A1 (en) * | 2005-05-03 | 2006-11-09 | Bulent Abali | System and method for associating computational procedures with stored data objects |
US20080040615A1 (en) * | 2006-06-30 | 2008-02-14 | Electronic Plastics, Llc | Biometric embedded device |
JP4702628B2 (en) * | 2006-07-27 | 2011-06-15 | ソニー株式会社 | Electronic device, information processing method, and program |
WO2008079491A2 (en) * | 2006-10-20 | 2008-07-03 | Electronic Plastics, Llc | Decentralized secure transaction system |
US9137212B2 (en) | 2006-12-04 | 2015-09-15 | Oracle America, Inc. | Communication method and apparatus using changing destination and return destination ID's |
DE102007048976A1 (en) * | 2007-06-29 | 2009-01-02 | Voice.Trust Ag | Virtual prepaid or credit card and method and system for providing such and for electronic payments |
DE102007036589A1 (en) * | 2007-08-02 | 2009-02-05 | Continental Automotive Gmbh | Method of operating a tachograph and tachograph |
FR2921175A1 (en) * | 2007-09-14 | 2009-03-20 | Sagem Securite Sa | Chip card i.e. contact chip card, for use as e.g. bank card, has antenna for exchanging data with external device, RAM including storage zone dedicated for exchanged data, and processing unit for securing zone and storing data in zone |
US7979685B1 (en) | 2007-11-27 | 2011-07-12 | Oracle America, Inc. | Multiple instruction execution mode resource-constrained device |
US8225386B1 (en) | 2008-03-28 | 2012-07-17 | Oracle America, Inc. | Personalizing an anonymous multi-application smart card by an end-user |
US8789753B1 (en) | 2008-03-28 | 2014-07-29 | Oracle International Corporation | Method for using and maintaining user data stored on a smart card |
US8152074B1 (en) | 2008-03-28 | 2012-04-10 | Oracle America, Inc. | Method for preparing by a smart card issuer an anonymous smart card and resulting structure |
US8683209B2 (en) * | 2008-10-14 | 2014-03-25 | Koninklijke Philips N.V. | Method and apparatus for pseudonym generation and authentication |
US7992781B2 (en) | 2009-12-16 | 2011-08-09 | Visa International Service Association | Merchant alerts incorporating receipt data |
US8429048B2 (en) | 2009-12-28 | 2013-04-23 | Visa International Service Association | System and method for processing payment transaction receipts |
RU2741742C1 (en) * | 2020-02-14 | 2021-01-28 | Публичное Акционерное Общество "Сбербанк России" (Пао Сбербанк) | Method for obtaining low-dimensional numeric representations of sequences of events |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0190733A2 (en) * | 1985-02-04 | 1986-08-13 | Kabushiki Kaisha Toshiba | Data processing system and method and pocket-size hermetically sealed electronic device |
WO1987007062A1 (en) * | 1986-05-16 | 1987-11-19 | American Telephone & Telegraph Company | System for a portable data carrier |
EP0466969A1 (en) * | 1990-07-20 | 1992-01-22 | Siemens Nixdorf Informationssysteme Aktiengesellschaft | Method for preventing unauthorised deviations from an application development protocol in a data exchange system |
DE4126213A1 (en) * | 1991-08-08 | 1993-02-11 | Bundesrep Deutschland | Multi-function chip card - has additional separate memory regions on card relative to different functions, each accessed by identification number |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA1238427A (en) * | 1984-12-18 | 1988-06-21 | Jonathan Oseas | Code protection using cryptography |
FR2653914A1 (en) * | 1989-10-27 | 1991-05-03 | Trt Telecom Radio Electr | SYSTEM FOR AUTHENTICATING A MICROCIRCUIT CARD BY A PERSONAL MICROCOMPUTER, AND METHOD FOR ITS IMPLEMENTATION |
US5204663A (en) * | 1990-05-21 | 1993-04-20 | Applied Systems Institute, Inc. | Smart card access control system |
US5649118A (en) * | 1993-08-27 | 1997-07-15 | Lucent Technologies Inc. | Smart card with multiple charge accounts and product item tables designating the account to debit |
ATE152539T1 (en) * | 1994-02-08 | 1997-05-15 | Belle Gate Invest Bv | DATA EXCHANGE SYSTEM WITH PORTABLE DATA PROCESSING UNITS |
FR2720532B1 (en) * | 1994-05-25 | 1997-09-12 | Vincent Lorphelin | Secure software rental system with memory card. |
US5857079A (en) * | 1994-12-23 | 1999-01-05 | Lucent Technologies Inc. | Smart card for automatic financial records |
US5930363A (en) * | 1995-03-17 | 1999-07-27 | Transmo Limited | Card charging systems |
IL119444A (en) * | 1995-10-20 | 2001-10-31 | Yeda Res & Dev | Private information retrieval |
US5903882A (en) * | 1996-12-13 | 1999-05-11 | Certco, Llc | Reliance server for electronic transaction system |
US5901303A (en) * | 1996-12-27 | 1999-05-04 | Gemplus Card International | Smart cards, systems using smart cards and methods of operating said cards in systems |
US5920861A (en) * | 1997-02-25 | 1999-07-06 | Intertrust Technologies Corp. | Techniques for defining using and manipulating rights management data structures |
-
1994
- 1994-02-08 AT AT94200236T patent/ATE152539T1/en not_active IP Right Cessation
- 1994-02-08 DE DE69402955T patent/DE69402955T2/en not_active Expired - Lifetime
- 1994-02-08 EP EP94200236A patent/EP0666550B1/en not_active Expired - Lifetime
-
1995
- 1995-02-08 JP JP7521126A patent/JPH09508733A/en not_active Ceased
- 1995-02-08 WO PCT/NL1995/000055 patent/WO1995022126A1/en active IP Right Grant
- 1995-02-08 KR KR1019960704253A patent/KR100386154B1/en not_active IP Right Cessation
- 1995-02-08 KR KR10-2002-7010584A patent/KR100417502B1/en not_active IP Right Cessation
- 1995-02-08 RU RU96118111A patent/RU2148856C1/en not_active IP Right Cessation
- 1995-02-08 CN CN95191544A patent/CN1079968C/en not_active Expired - Lifetime
- 1995-02-08 CA CA002466650A patent/CA2466650A1/en not_active Abandoned
- 1995-02-08 US US08/676,347 patent/US5802519A/en not_active Expired - Lifetime
- 1995-02-08 AU AU15460/95A patent/AU681754B2/en not_active Expired
- 1995-02-08 CA CA002182783A patent/CA2182783C/en not_active Expired - Fee Related
- 1995-02-08 NZ NZ278967A patent/NZ278967A/en not_active IP Right Cessation
-
1996
- 1996-08-07 FI FI963111A patent/FI117990B/en not_active IP Right Cessation
-
1998
- 1998-08-27 US US09/141,255 patent/US6052690A/en not_active Expired - Lifetime
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0190733A2 (en) * | 1985-02-04 | 1986-08-13 | Kabushiki Kaisha Toshiba | Data processing system and method and pocket-size hermetically sealed electronic device |
WO1987007062A1 (en) * | 1986-05-16 | 1987-11-19 | American Telephone & Telegraph Company | System for a portable data carrier |
EP0466969A1 (en) * | 1990-07-20 | 1992-01-22 | Siemens Nixdorf Informationssysteme Aktiengesellschaft | Method for preventing unauthorised deviations from an application development protocol in a data exchange system |
DE4126213A1 (en) * | 1991-08-08 | 1993-02-11 | Bundesrep Deutschland | Multi-function chip card - has additional separate memory regions on card relative to different functions, each accessed by identification number |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998009257A1 (en) * | 1996-08-30 | 1998-03-05 | Gemplus S.C.A. | A system and method for loading applications onto a smart card |
CN1127701C (en) * | 1996-08-30 | 2003-11-12 | 格姆普拉斯有限公司 | System and method for loading applications onto smart card |
WO2003034281A1 (en) * | 2001-10-19 | 2003-04-24 | Intel Zao | Method and apparatus to provide a hierarchical index for a language model data structure |
US8737981B2 (en) | 2002-12-19 | 2014-05-27 | Qualcomm Incorporated | Downloadable configuring application for a wireless device |
US9191276B2 (en) | 2002-12-19 | 2015-11-17 | Qualcomm Incorporated | Downloadable configuring application for a wireless device |
US8594112B2 (en) | 2006-03-31 | 2013-11-26 | Qualcomm Incorporated | Memory management for high speed media access control |
Also Published As
Publication number | Publication date |
---|---|
CA2182783C (en) | 2005-04-19 |
KR100386154B1 (en) | 2003-10-23 |
CN1150850A (en) | 1997-05-28 |
NZ278967A (en) | 1997-04-24 |
KR100417502B1 (en) | 2004-02-05 |
FI117990B (en) | 2007-05-15 |
CA2182783A1 (en) | 1995-08-17 |
FI963111A (en) | 1996-08-07 |
US5802519A (en) | 1998-09-01 |
RU2148856C1 (en) | 2000-05-10 |
ATE152539T1 (en) | 1997-05-15 |
CN1079968C (en) | 2002-02-27 |
US6052690A (en) | 2000-04-18 |
EP0666550A1 (en) | 1995-08-09 |
EP0666550B1 (en) | 1997-05-02 |
JPH09508733A (en) | 1997-09-02 |
FI963111A0 (en) | 1996-08-07 |
CA2466650A1 (en) | 1995-08-17 |
AU1546095A (en) | 1995-08-29 |
DE69402955T2 (en) | 1997-08-14 |
AU681754B2 (en) | 1997-09-04 |
DE69402955D1 (en) | 1997-06-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US5802519A (en) | Coherent data structure with multiple interaction contexts for a smart card | |
US6094656A (en) | Data exchange system comprising portable data processing units | |
US7185110B2 (en) | Data exchange system comprising portable data processing units | |
US6296191B1 (en) | Storing data objects in a smart card memory | |
CA2026739C (en) | Transaction system security method and apparatus | |
US7490333B2 (en) | Capability-based access control for applications in particular co-operating applications in a chip card | |
US5682027A (en) | System and method for performing transactions and a portable intelligent device therefore | |
US6742120B1 (en) | System and method for controlling access to computer code in an IC card | |
WO1999062210A2 (en) | Secure token device access to services provided by an internet service provider (isp) | |
CN100507797C (en) | Techniques for implementing security on a small footprint device using a context barrier | |
WO2004100094A2 (en) | System and method for using open apis to provide integrated security policies for flexible management and customization of payment instruments | |
Akdemir | An implementation of secure flow type inference for a subset of Java | |
Keys | Cryptography & Security Issues in JAVA CARD 2.0 | |
Cucinotta et al. | An open middleware for smart cards | |
Corcoran et al. | An open middleware for smart cards | |
Akdemir et al. | An Implementation of Secure Flow Type Interference for a Subset of Java | |
Jang | Secure Object Sharing on Java Card | |
Brinkman | JavaCards As Secure Objects Network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 95191544.4 Country of ref document: CN |
|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AM AT AU BB BG BR BY CA CH CN CZ DE DK EE ES FI GB GE HU JP KE KG KP KR KZ LK LR LT LU LV MD MG MN MW MX NL NO NZ PL PT RO RU SD SE SI SK TJ TT UA US UZ VN |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): KE MW SD SZ AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR NE SN TD TG |
|
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 08676347 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 278967 Country of ref document: NZ |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2182783 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 963111 Country of ref document: FI |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
122 | Ep: pct application non-entry in european phase | ||
WWG | Wipo information: grant in national office |
Ref document number: 963111 Country of ref document: FI |