EP1817752A2 - Method for personalising chip cards - Google Patents
Method for personalising chip cardsInfo
- Publication number
- EP1817752A2 EP1817752A2 EP05811146A EP05811146A EP1817752A2 EP 1817752 A2 EP1817752 A2 EP 1817752A2 EP 05811146 A EP05811146 A EP 05811146A EP 05811146 A EP05811146 A EP 05811146A EP 1817752 A2 EP1817752 A2 EP 1817752A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- chip card
- personalization
- command sequence
- command
- chipk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/355—Personalisation of cards for use
- G06Q20/3552—Downloading or loading of personalisation data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/355—Personalisation of cards for use
- G06Q20/3558—Preliminary personalisation for transfer to user
Definitions
- a personalization of chip cards in which card and / or person individual data are loaded onto a respective chip card, has hitherto generally been carried out in secured personalization centers at a manufacturer of the chip card, at a certification authority or at a trustworthy service provider.
- Personalization centers are usually secured by the use of electronic, mechanical security mechanisms and / or organizational measures against unauthorized manipulation, since in them security-relevant data (eg personal data of the user of the chip card, PINs, etc.) are processed, and a disclosure of information to unauthorized persons and an influence of unauthorized persons on the process of personalization is to be avoided.
- security-relevant data eg personal data of the user of the chip card, PINs, etc.
- Personalization of a smart card typically involves activating one or more applications on the smart card Chip card together with a generation of security keys and / or security key pairs, eg so-called symmetric keys or RSA keys (RSA: encryption algorithm named after the inventors Rivest, Shamir and Adleman).
- RSA encryption algorithm named after the inventors Rivest, Shamir and Adleman.
- the generation of backup key pairs proves to be very expensive compared to the remaining personalization steps.
- the number of smart cards processed in a given period of time in a personalization center is significantly affected by a generation time of the security keys of the respective smart cards.
- the personalization of a smart card can often not be completed in a single personalization session, since at the time of issue of the smart card is not yet completely known which applications are to be played on the smart card and installed on the smart card. Additionally, with multi-application chip cards, which may include multiple applications, there is a need to activate applications over the life of the smart card. According to the prior art, this is the chip card to bring once more in the secure personalization center, if required by the respective security requirements.
- key information eg comprising a card-specific secure messaging key and / or an authentication key
- a nonvolatile memory can be realized, for example, as an EEPROM on the chip card.
- a command sequence definition and a command sequence establishing a smart card application with chip card commands to be executed by the chip card are transmitted to the chip card as part of a supplementary personalization which can also be carried out in an unsecured environment.
- a check using the key information and thereby secured is carried out as to whether this smart card command satisfies the command sequence definition. If so, the chip card command in question is executed by the chip card.
- the indicated sequence of process characteristics need not correspond to the chronological order of these characteristics.
- the check of the chip card commands may be carried out contiguously at the beginning of the supplementary personalization, before the individual chip card commands are executed.
- Command sequence be secured on the chip card.
- the examination of the command sequence using the command sequence definition can then take place during execution of the command sequence without additional backup by means of the key information.
- An advantage of examining the instruction sequence by means of a instruction sequence definition is that it can be ensured that only unmanipulated, trusted instruction sequences can be executed, since only these satisfy the instruction sequence definition.
- inventive method complementary personalization in unsecured areas such as the user's private home, local sales office for mobile cards, chip card encoding for employee cards, bank branches for credit or loyalty cards or registration offices for ID cards and chip cards can be safely carried out so far only be carried out in secure personalization centers in order to fulfill high security requirements.
- Time-consuming personalization steps in particular generating certificates and key pairs, can be carried out as part of the supplementary personalization. It is advantageous that these time-consuming steps do not have to be performed in a personalization center and thus a shorter personalization time per chip card is achieved and the personalization center can partially personalize smart cards in shorter time intervals.
- a further advantage is that multi-application chip cards, in which even after their delivery further applications can be loaded to activate the applications need not be sent again to the personalization center to complete the personalization.
- the activation of such a further application may be carried out as part of the complementary personalization. That the complementary personalization with applications can e.g. be performed by the user of the smart card even in his apartment outside the personalization center.
- the check of the smart card commands may be implemented and thus secured, for example, by using a secure messaging key as key information to prevent transmission of the command sequence and / or the command sequence definition to the smart card using an incorrect secure messaging key.
- the smart card may contain, as key information, a private key of an RSA key pair.
- the transmitted command sequence and / or command sequence definition may be encrypted for backup by means of a public RSA key of the smart card.
- the smart card and only these, can decrypt the command sequence and / or the command sequence definition with the private key stored on the smart card.
- an authentication or signature key can be used as key information to ensure that the command sequence and / or command sequence definition has been generated and transmitted from the expected location, preferably the personalization center performing the partial personalization.
- the smart card command to be executed Before executing a respective smart card command of the command sequence with the aid of the command sequence definition, it is checked whether the smart card command to be executed satisfies the command sequence definition. If the test result is positive, the chip card command will be executed, but if the test result is negative, the chip card command will not be executed.
- an access authorization on the chip card can be set for executing the command sequence, and a presence of the access authorization can be checked before execution of a respective chip card command. If the result of the test is positive, then the relevant chip card command can be executed. If the test result is negative, execution of the relevant chip card command can be suppressed.
- the access authorization can advantageously be set when the command sequence is called by the operating system.
- an access authorization associated with the smart card command may be set and deleted after execution.
- Such access authorization for a chip card command may, for example, include a write right to a specific memory area.
- Another example of an access authorization is an authorization of a chip card command to generate a key for encryption or a certificate for authentication.
- the setting and deletion of an access authorization allows a simple implementation of test routines to check whether a chip card command may be executed. Furthermore, by means of such check routines, it is easy to realize that the chip card can not execute an instruction which is only permitted in the supplementary personalization when executing chip card instructions outside of the supplementary personalization, by performing each chip card command during and outside the supplementary personalization. the access permissions are checked.
- the key information can be chip card-specific or chip card group-independent.
- a respective smart card group may e.g. a respective production lot of the chip cards, a respective distribution customer of the chip cards, a respective application, e.g. when used as a fuel card at gas stations, or all produced chip cards are assigned.
- it can be limited in the Generalpersonalmaschine on which smart cards a respective command sequence can be performed - only on a single chip card, on a chip card group or on all smart cards.
- the command sequence definition can specify states and state transitions of a state machine which changes from a respective state to a predetermined state of succession, which is different from previously assumed states, wherein a respective state is changed.
- each state is assigned a predetermined chip card command, which is allowed to execute in this state.
- the instruction sequence definition may comprise information patterns for the - preferably entire - instruction sequence with which it can be determined by comparison with chip card instructions contained in the instruction sequence whether a respective chip card instruction to be executed satisfies the instruction sequence of the instruction sequence definition, if an order of the chip card instructions is correct, and / or whether, after execution of the command sequence, all chip card commands contained in the command sequence have been processed and thus the command sequence has been completely processed.
- the command sequence definition can be implemented in such a way that, for each chip card command of the associated command sequence, it contains information identifying the chip card command, preferably in as brief a representation as possible.
- a state diagram of the state machine does not contain any branches, loops or recursions.
- the execution of the command sequence can be restricted to those command sequences which are provided by the personalization unit carrying out the partial personalization.
- the absence of recursion can ensure that a command sequence passing through the state diagram is executed unchanged, once, essentially completely and / or in the correct order. A user of the chip card is thus protected against manipulation by unauthorized third parties.
- the command sequence definition, the command sequence, a chip card application partially set up by executing the command sequence up to an individual chip card command, the access authorization, the state machine and / or a respectively assumed state of the state machine. maten be stored in a preferably non-volatile memory of the smart card.
- interrupted supplementary personalization can continue after the interruption.
- a non-volatile memory to store the information provided, it is possible to continue the supplemental personalization even after the power supply has been interrupted.
- the continuation of an interrupted supplementary personalization may preferably be carried out by continuing the command sequence at the state of the last state of the state machine.
- an interrupted supplementary personalization could be continued such that the execution of the command sequence is resumed at the beginning thereof and all chip card commands that have already been processed are ignored until the chip card commands that have not yet been processed are pending execution.
- the information indicating completed complementary personalization can be stored on the chip card, the access authorization deleted, and / or the command sequence definition, the command sequence, the state machine, and / or a state machine state the chip card are deleted.
- the information indicating a completed supplementary personalization can also be represented by information that is deleted after personalization has taken place and thus indicates by their absence that the personalization is complete.
- the presence or absence of data on the chip card can be evaluated by the operating system of the chip card in order to detect whether the chip card is in the state of carrying out a supplementary personalization, whether the supplementary personalization has already been completed, or if the supplementary Personalization has not started yet.
- the operating system of the chip card can additionally decide whether the respective commands to be executed are to be executed with different access authorizations.
- a smart card command of a command sequence may contain a command sequence definition for a further command sequence. This allows command sequences to be executed in cascade and split long command sequences into several short, modular command sequences and executed successively.
- test routine for checking a successful supplementary personalization can be called up and this test routine, upon detection of a faulty supplementary personalization, stores an information indicating faulty personalization on the chip card.
- a program of the smart card by simply reading this information can detect whether an application has been personalized error-free and only in this case access the application.
- This test routine can be permanent on the
- Chip card be part of the command sequence or as the command sequence in the context of the supplementary personal be transferred to the chip card and be deleted after termination.
- a routine may be carried out as part of the partial personalization, which reserves a memory area or a directory on the chip card for the reception of data generated during the supplementary personalization in the execution of the command sequence. It can thus be guaranteed that no memory shortage or overflow occurs during the processing of the supplementary personalization, and that only the command sequences whose chip card commands write to this previously reserved memory area can be completely executed.
- a chip card can only be used for its intended purpose if the supplementary personalization has been completely executed and terminated.
- FIG. 1 shows a part personalization of a chip card taking place in a personalization center
- FIG. 2 shows an introduction of a supplementary personalization of the chip card in an unsecured environment
- FIG. 3 shows the chip card with loaded and permanently existing modules for carrying out the supplementary personalization
- FIG. 4 shows the chip card during the execution of a command sequence in the context of the supplementary personalization
- FIG. 5 shows a command sequence definition as state automaton with states and state transitions.
- FIG. 1 diagrammatically shows a partial personalization of a chip card CHIPK taking place in a personalization center PZ.
- the chip card CHIPK can be identified by a chip card number ID which is contained on it and which is unique relative to other chip cards and shown as a rectangle.
- the chip card number ID is preferably already brought to the chip card CHIPK during the production of the chip card CHIPK.
- the electronically and / or mechanically secured area of a personalization center PZ is represented by a dashed-dotted line.
- On the chip card CHIPK is accessed in the illustrated in Figure 1 steps by a smart card reader / writer CHIPLES.
- chip card reader / writer CHIPLES and chip card CHIPK is represented by a broad black line, as well as the connection between smart card reader / writer CHIPLES and a partial personalization module KEYGEN.
- the partial personalization module KEYGEN controls this
- the partial personalization module KEYGEN key information KEY1 and KEY2 are preferably generated according to the RSA method as a key pair. Furthermore, the partial personalization module KEYGEN is connected to a database CHIPDB - represented by a broad black line - which in particular comprises a table TABKEY, with an allocation of chip card numbers, here ID, in each case to a key information, here KEY2. Read / write access to data and memory the components mentioned are shown by dashed arrows.
- the chip card CHIPK also comprises a memory MEM, which is usually designed as an EEPROM, in order to be able to store data permanently and overwritable.
- the key information KEY1 and / or KEY2 can be derived by the partial personalization module KEYGEN by means of a suitable, reconstructable method using a key known only to the personalization center PZ.
- FIG. 2 schematically illustrates an initiation of the supplementary personalization by requesting a command sequence BS and a command sequence definition BSD at the personalization center PZ and their transmission to the chip card CHIPK.
- the chip card CHIPK is thereby located in an unsecured environment. This unsecured environment is referred to below as the personalization site HB at which the supplementary personalization is to be performed. It is assumed in the embodiment that the personalization location HB is the home area, i. the private home or the office of a smart card user is, with other possible personalization sites HB local personalization offices, chip card issuing agencies such as banks and insurance companies, as well as the personalization center PZ can be.
- the database CHIPDB and the table TABKEY in the personalization center PZ are shown in FIG. 2 in accordance with FIG.
- the chip card CHIPK, the chip card number ID, the memory MEM, the key information KEY1, a second chip card reading / writing device CHIPLES2 and the connection between both is likewise shown in FIG. 1, the chip card CHIPK and the chip card reading / writing device CHIPLES2 not being in the personalization center PC but in one who carry out the complementary personalization, HB.
- a communication module KOM1 which controls the chip card reading / writing device CHIPLES2 and can be connected via an internet connection to a communication module KOM2 in the personalization center PZ.
- an Internet connection is only a preferred of several connection options.
- the communication module KOM1 establishes an Internet connection with the HTTPS protocol (HyperText Transport Protocol Secure), sends a message REQ to the communication module K0M2 and sends this in a response a data message DAT the command sequence definition BS and associated command sequence definition
- HTTPS protocol HyperText Transport Protocol Secure
- the key information KEY1 stored on the chip card CHIPK and / or a public key of the personalization center PZ can be used for HTTPS encryption.
- connection In addition to the Internet connection assumed in the exemplary embodiment, all types of verbal, written or electronic connections are possible, eg radio or telephone connections. Furthermore, different protocols for communication are possible with an electronic connection, eg HTTP, HTTPS, SMTP or a proprietary protocol.
- the connection can also be made offline, ie without a direct electronic connection, or through an online-offline combination in which the request is transmitted to the personalization center PZ through an Internet connection and the answer without a direct electronic connection.
- the communication module KOM2 has access, represented by a wide black line, to the database CHIPDB and to a generation module BSGEN for generating or determining command sequence BS and command sequence definition BSD.
- the transmission of the messages REQ and DAT via the Internet connection assumed in the exemplary embodiment between the communication modules KOM1 and KOM2 is illustrated by arrows.
- the transmission path of command sequence BS and command sequence definition BSD starting from the generating module BSGEN to the memory MEM of the chip card CHIPK is shown by a dashed arrow.
- darg Marie is in personalization HB a terminal for user interaction on which runs a program that performs the possibly required interaction with the user. These are e.g. Inquiries as to whether an Internet connection should be established, which command sequence BS should be downloaded.
- chip card reading / writing device CHIPLES2, communication module COM1 and the mentioned terminal are part of a workstation computer with standard components and standard operating system.
- the communication module KOM2 can be implemented in such a way that it only accepts connection requests that satisfy a plausibility routine contained in it (not shown). Furthermore, the communication module KOM2 may be in communication with a web server (not shown), may be a module of a web server, or may include a web server to provide interaction opportunities with the user of the smart card CHIPK. In particular, a list of the possible chip card applications to be activated in a web page can be displayed to the user for selection, preferably after reading and evaluating the chip card number ID, only for to display chip card CHIPK enabled chip card applications.
- FIGs 3 and 4 show schematically each chip card CHIPK with loaded and permanently available modules for
- FIG. 3 shows a state after import but before execution of command sequence BS and command sequence definition BSD.
- FIG. 4 shows the chip card CHIPK after processing four chip card commands Bl,..., B4 during processing of a fifth chip card command B5 of the command sequence BS.
- the chip card CHIPK shown in FIGS. 3 and 4 also has a fault counter FAHLZ in the memory MEM on.
- the error counter FEHLZ is a data field which stores the number of errors, the error types and / or further details regarding occurring errors.
- the memory MEM comprises the key information KEY1, the command sequence definition BSD and the command sequence BS, which is characterized in that it is transmitted and executed command by command to the chip card CHIPK (not shown) or as a complete sequence in the chip card
- a free memory area FREIMEM of the memory MEM is represented by a dashed rectangle.
- APPDATA generated application data
- the individual commands Bl, B2, B3, B4, B5 of the command sequence BS are shown within this command sequence BS, wherein it is indicated by three points that the command sequence BS can contain any number of commands.
- the individual command sequence definition units D1, D2, D3, D4, D5 are shown within the command sequence definition BSD.
- the chip card CHIPK furthermore comprises a supplementary personalization routine EPERS, which accesses the command sequence BS and the command sequence definition BSD read-represented by a dotted arrow, and the error counter MIST and the available free memory read and write FREE - represented by a continuous arrow - accessed.
- the step-by-step execution of the instructions B1, B2, B3, B4, B5 and command sequence definition units D1, D2, D3, D4, D5 is illustrated by a double arrow in the processing direction.
- chip card instructions B1, B2, B3, B4, B5 to be executed as part of the supplementary personalization can be commands with write access to a volatile or non-volatile memory MEM of the chip card, as well as commands that generate security certificates or key pairs.
- FIG. 5 illustrates a command sequence definition BSD which predefines states and state transitions in the sense of a state machine, the states of which Z1, Z2, Z3, Zn are denoted as
- the state transitions are labeled by the instruction sequence definition units D1, D2, D3, D4, Dn, Dn + 1, the execution of which cause the state transitions.
- the initial state BZ defines the
- Start state of the state machine EZ defines the final state representing the successful execution of the command sequence BS.
- the initial state BZ and the final state EZ are identical and correspond to a neutral state of the chip card CHIPK, if no additional personalization takes place.
- FIG. 1 illustrates the partial personalization of the chip card CHIPK in the personalization center PZ.
- the chip card CHIPK contains the unique, unchangeable chip card number ID, by means of which the chip card CHIPK can be identified.
- the partial personalization module KEYGEN requests this chip card number ID from the chip card reader / writer CHIPLES and transmits it to the database CHIPDB, so that an entry is created in the table TABKEY. In the table TABKEY is preferred one entry stored for each chip card delivered.
- the partial personalization module KEYGEN generates the preferably smart card-specific key information KEY1 and KEY2 preferably according to the RSA method or alternatively according to a suitable key derivation method. Depending on the method used, the key information KEY1 and KEY2 can match, so that there is only one common key information.
- the key information KEY1 is a private key of the chip card CHIPK using the RSA method and key information KEY2 is an associated public key.
- the partial personalization module KEYGEN transmits the key information KEY2 to the database CHIPDB, so that it is stored in the table TABKEY assigned to the chip card number ID.
- the partial personalization module KEYGEN transmits the key information KEY1 to the chip card reading / writing device which writes the obtained key information KEY1 into the nonvolatile memory MEM of the chip card CHIPK. There, the key information KEYl remains permanently stored. Thus, the chip card CHIPK is partially personalized with only a few steps and little effort.
- a user inserts the chip card CHIPK transferred to him into a chip card reader / writer CHIPLES2 and starts the supplementary personalization in a manner not described in detail. Then that reads
- Communication module KOMl the chip card number ID and transmits them, preferably encrypted by the key formation KEY1 and / or a public key of the personalization center PZ - in the message REQ to the communication module KOM2 in the personalization center PZ to request the delivery of a command sequence BS and command sequence definition BSD.
- various messages REQ can also be given for different chip card applications to be activated, or a message REQ with a parameter indicating which application is to be activated on the chip card.
- the communication module KOM2 extracted, possibly after previous decryption, the transmitted chip card ID ID from the message REQ and further determined from the message REQ, which application is to be activated in a later step on the chip card CHIPK.
- the communication module COM2 contacts the database CHIPDB and queries the key information KEY2 stored there in the table TABKEY. Furthermore, the communication module KOM2 requests from the generating module BSGEN a command sequence BS for later generation of the chip card application and a corresponding matching command sequence definition BSD, the key information KEY2 possibly being provided by the communication module KOM2 for its generation and being used by the generating module BSGEN.
- the command sequence definition BSD is then generated using the key information KEY2 and the command sequence BS so that it can be used on the chip card CHIPK to check the execution of the command sequence BS according to various criteria.
- the generation module BSGEN generates or reads the application setup BS and the command sequence definition BSD, preferably both being card-encrypted using the key information KEY2 and thus being decryptable only on the chip card that has the appropriate one Key information KEYl contains.
- a command sequence BS can be generated. the one that can set up multiple applications on chip card CHIPK when running.
- the supplementary personalization routine EPERS can likewise be provided by the generation module BSGEN and transmitted to the chip card (not shown). This is advantageous if different personalization routines are used for different command sequences.
- the communication module KOM2 transmits the command sequence BS and the command sequence definition BSD and, if appropriate, the supplementary personalization routine EPERS in a data message DAT, preferably encrypted by means of the key information KEY2 and / or the public key of the personalization center PZ, to the communication module KOM1 in the home area HB user.
- the command sequence BS and the command sequence definition BSD is transmitted to the chip card CHIPK in that the communication module KOM1 writes it into the memory MEM of the chip card CHIPK using the chip card reading / writing device CHIPLES2.
- the communication module COMl causes the supplementary personalization routine EPERS to be called to execute the command sequence BS as part of the supplementary personalization.
- FIG. 3 schematically shows the chip card CHIPK after the command sequence BS and the command sequence definition BSD have been loaded after calling the supplementary personalization routine EPERS. If the command sequence BS and the command sequence definition BSD were played encrypted on the smart card, they are to be decrypted by the complementary personalization routine EPERS first using the key information KEYl.
- the use of the key information KEY1 for decryption - preferably using standard means - thus ensures the following check of the command sequence BS by means of the command sequence definition BSD, since only for the decryption key sequence KEY1 prepared command sequences BS can be decrypted. This implicitly prevents the execution of other command sequences.
- the respective chip card commands B1, B2, B3, B4, B5 of the command sequence BS are implicitly saved.
- a pointer contained in the supplemental personalization routine EPERS points to the next instruction to be executed of the instruction sequence BS. This is initially the first instruction Bl of the instruction sequence BS.
- a further contained pointer points parallel to the first command sequence definition unit D1 to be evaluated, which is assigned to the command Bl, it being assumed in the application example that the command sequence definition BSD comprises information patterns for the entire command sequence BS and exactly one command sequence definition unit for each command gives.
- a third contained pointer points to the memory area allocated to the application to be installed outdoors
- this memory area can already be reserved for the application as part of the partial personalization.
- the representation as a pointer has been introduced only for clarification and can be solved in an implementation of a smart card CHIPK without pointer.
- the error counter FEHLZ is either already present on the chip card CHIPK or is only generated by the supplementary personalization routine EPERS in the memory MEM.
- the supplementary personalization routine EPERS now reads (not shown) the first instruction Bl of the instruction sequence BS and checks by means of the associated instruction sequence definition unit D1 whether the instruction Bl to be executed satisfies this instruction sequence definition unit D1. This can be used to ensure that no illegal command is executed and that no commands are executed in the wrong order. If the command Bl satisfies the command sequence definition unit Dl, it is executed by the chip card CHIPK and, if it is a write command to the memory MEM, a part of the free memory FREIMEM with application data APPDATA is described. This reduces the free memory FREIMEM. Subsequently, the pointers are indexed so that the command B2 to be executed next and the command sequence definition units to be evaluated next, the unit D2 is set.
- the hands are not indexed and the error counter MISSING is increased.
- the further behavior after an error can be different; e.g. the execution of the command sequence BS can be aborted or it can be attempted to execute the command again. If the command sequence BS is aborted, the pointer to the command sequence definition BSD can be reset or it can remain at the previous position in order to continue processing there after transferring a further command sequence BS to the chip card CHIPK.
- the supplementary personalization routine EPERS or an operating system routine of the chip card CHIPK can check the error counter MISSED and, when a predetermined threshold value is exceeded, trigger an action, such as the following: Disabling the chip card CHIPK.
- FIG. 4 schematically illustrates the chip card CHIPK after successful execution of four instructions B1, B2, B3, B4 of the command sequence BS.
- four command sequence definition units D 1, D 2, D 3, D 4 were evaluated in the illustrated embodiment of the invention after processing the four commands.
- An originally free memory area was used when executing the commands Bl, B2, B3, B4 for the storage of the application data APPDATA.
- After execution of all instructions of the instruction sequence BS, all instruction commands The sequence definition units of the command sequence definition BSD have been successfully evaluated and the desired application has been created in the application data APPDATA.
- the smart card application is set up and the supplementary personalization can be terminated.
- the command sequence BS and command sequence definition BSD can be deleted by the supplementary personalization routine EPERS. Furthermore, this routine may end.
- the chip card CHIPK can use the application now stored on it after completion of the supplementary personalization.
- the chip card CHIPK can send a message (not shown) about the successful execution of the command sequence BS to the communication module KOM1, which can then display this information to the user on the screen of a terminal.
- the communication module KOM1 can send a corresponding message (not shown) to the personalization center PZ.
- FIG. 5 schematically illustrates an instruction sequence definition BSD which prescribes a state machine.
- a successful evaluation of a command sequence definition unit D 1 and thus a successful execution of an instruction Bl causes the state machine to change from the initial state BZ to the state Z 1.
- This state is in turn only left by the machine and forwarded to the only following state Z2 when the command sequence definition unit D2 has been successfully evaluated and thus command B2 has been executed.
- the state machine illustrated in FIG. 5 has no forward or backward loops in the state graph, there is only one sequence of command sequence definition units that completes the state machine and places it in the final state EZ.
- the final state EZ is then like the initial state BZ again a state, the usual wise in normal operation of the chip card CHIPK, so outside the complementary personalization is taken.
- the transition from the initial state BZ can be used to control further access rights, e.g. Write access to certain memory areas by setting an access authorization, are enabled and available during the execution of the command sequence BS. Due to the transition to the final state EZ, this access authorization can then be withdrawn again. If each chip card command is checked for access authorizations it requires before it can be processed, it is thus possible to achieve that chip card commands executed during a supplementary personalization have sufficient access rights and such chip card commands are blocked outside of the supplementary personalization.
- further access rights e.g. Write access to certain memory areas by setting an access authorization
- the present embodiment comprises an authorization at the personalization center PZ, a secure transmission of the command sequence BS, a check of the command sequence BS by the command sequence definition BSD, which specifies a loop-free state machine.
- PZ personalization center
- BSD command sequence definition
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Computer Networks & Wireless Communication (AREA)
- Accounting & Taxation (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
- Credit Cards Or The Like (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102004058020A DE102004058020A1 (en) | 2004-12-01 | 2004-12-01 | Method for personalizing smart cards |
PCT/EP2005/055911 WO2006058828A2 (en) | 2004-12-01 | 2005-11-11 | Method for personalising chip cards |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1817752A2 true EP1817752A2 (en) | 2007-08-15 |
Family
ID=35708858
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05811146A Ceased EP1817752A2 (en) | 2004-12-01 | 2005-11-11 | Method for personalising chip cards |
Country Status (5)
Country | Link |
---|---|
US (1) | US8020773B2 (en) |
EP (1) | EP1817752A2 (en) |
CN (1) | CN101069218B (en) |
DE (1) | DE102004058020A1 (en) |
WO (1) | WO2006058828A2 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1622098A1 (en) * | 2004-07-30 | 2006-02-01 | ST Incard S.r.l. | IC card secure personalization method |
EP2200253A1 (en) * | 2008-12-19 | 2010-06-23 | Gemalto SA | Method of managing sensitive data in an electronic token |
WO2011088109A2 (en) * | 2010-01-12 | 2011-07-21 | Visa International Service Association | Anytime validation for verification tokens |
DE102010019195A1 (en) | 2010-05-04 | 2011-11-10 | Giesecke & Devrient Gmbh | Method for personalizing a portable data carrier, in particular a chip card |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE3927270C2 (en) | 1989-08-18 | 1996-07-11 | Deutsche Telekom Ag | Process for personalizing chip cards |
US6335799B1 (en) * | 1993-01-21 | 2002-01-01 | Efunds Corporation | Plastic card personalizer system |
US5889941A (en) * | 1996-04-15 | 1999-03-30 | Ubiq Inc. | System and apparatus for smart card personalization |
DE19633466C2 (en) | 1996-08-20 | 2001-03-01 | Ibm | Post-initialization of chip cards |
US6202155B1 (en) * | 1996-11-22 | 2001-03-13 | Ubiq Incorporated | Virtual card personalization system |
DE19733662C2 (en) | 1997-08-04 | 2001-05-23 | Deutsche Telekom Mobil | Method and device for personalization of GSM chips by the customer |
US6196459B1 (en) * | 1998-05-11 | 2001-03-06 | Ubiq Incorporated | Smart card personalization in a multistation environment |
DE19858343A1 (en) * | 1998-12-17 | 2000-06-21 | Giesecke & Devrient Gmbh | Method and device for producing personalized chip cards |
DE19922946A1 (en) * | 1999-05-14 | 2000-11-23 | Daimler Chrysler Ag | Applying authentication data to hardware unit, e.g. chip card having private key by encrypting data using public key and transmitting to hardware unit |
DE19958599A1 (en) | 1999-05-27 | 2000-11-30 | Bosch Gmbh Robert | Method for encryption of numerical information and transmission module |
DE19947986A1 (en) | 1999-10-05 | 2001-04-12 | Ibm | Method of downloading of application parts via distributed systems on to a chip-card, requires provision of secret code or session key by the server prior to loading command-sequence of commands for downloading |
DE19958559A1 (en) * | 1999-12-04 | 2001-06-07 | Orga Kartensysteme Gmbh | Method for initializing and / or personalizing chip cards and a corresponding device |
ATE402024T1 (en) * | 1999-12-15 | 2008-08-15 | Fargo Electronics Inc | DEVICE FOR PERSONALIZING AN ID CARD WITH A WEB BROWSER |
DE10065749A1 (en) | 2000-12-29 | 2002-07-18 | Infineon Technologies Ag | Method for entering personal data onto personal data supports, e.g. for chip-card or mobile phone devices, where a data support that can be personalized, is produced onto which personal data and or programs are entered by a user |
DE10123664A1 (en) | 2001-05-15 | 2002-11-21 | Giesecke & Devrient Gmbh | Method for generating a signature code for a signature card uses a code-generating unit and a signature card to create a secrete code as well as a session code and encoded transmission of the generated code to the signature card. |
US6902107B2 (en) * | 2002-01-28 | 2005-06-07 | Datacard Corporation | Card personalization system and method |
DE10212875A1 (en) | 2002-03-22 | 2003-10-23 | Beta Res Gmbh | Production of chip card, with access key divided into two parts to be added in two independent processing steps |
DE10218795B4 (en) | 2002-04-22 | 2009-03-19 | Deutscher Sparkassen Verlag Gmbh | Method for producing an electronic security module |
DE10230447A1 (en) | 2002-07-06 | 2004-01-15 | Deutsche Telekom Ag | Terminal integration method for chip card transactions generates a virtual terminal/external open plug-in technology to run on a computer and to act as an interface to existing terminals |
US8239594B2 (en) * | 2005-11-10 | 2012-08-07 | Datacard Corporation | Modular card issuance system and method of operation |
-
2004
- 2004-12-01 DE DE102004058020A patent/DE102004058020A1/en not_active Withdrawn
-
2005
- 2005-11-11 US US11/791,637 patent/US8020773B2/en active Active
- 2005-11-11 WO PCT/EP2005/055911 patent/WO2006058828A2/en active Application Filing
- 2005-11-11 EP EP05811146A patent/EP1817752A2/en not_active Ceased
- 2005-11-11 CN CN2005800413484A patent/CN101069218B/en not_active Expired - Fee Related
Non-Patent Citations (1)
Title |
---|
See references of WO2006058828A3 * |
Also Published As
Publication number | Publication date |
---|---|
CN101069218A (en) | 2007-11-07 |
CN101069218B (en) | 2011-07-27 |
DE102004058020A1 (en) | 2006-06-08 |
US8020773B2 (en) | 2011-09-20 |
WO2006058828A3 (en) | 2006-08-24 |
WO2006058828A2 (en) | 2006-06-08 |
US20080116261A1 (en) | 2008-05-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3108610B1 (en) | Method and system for creating and checking the validity of device certificates | |
DE69322463T2 (en) | Procedure for account settlement using chip cards | |
DE112011100182B4 (en) | Data security device, computing program, terminal and system for transaction verification | |
DE10008973B4 (en) | Authorization procedure with certificate | |
EP1393146B1 (en) | Method and system for the distributed creation of a program for a programmable portable data carrier | |
DE3103514A1 (en) | METHOD AND DEVICE FOR CONTROLLING A SECURED TRANSACTION | |
EP1805720B1 (en) | Method for securely transmitting data | |
EP1185026B2 (en) | Method for data transmission | |
DE102007011309A1 (en) | Method for authenticated transmission of a personalized data record or program to a hardware security module, in particular a franking machine | |
EP2673731B1 (en) | Method for programming a mobile terminal chip | |
WO2023011759A1 (en) | Coin managing unit, and method in a coin managing unit | |
EP4381408A1 (en) | Secure element, method for registering tokens, and token reference register | |
DE19527715A1 (en) | Smart card for access to global mobile communication system - has integrated circuit chip using identification and authentication data to control access | |
EP3271855B1 (en) | Method for generating a certificate for a security token | |
WO2006058828A2 (en) | Method for personalising chip cards | |
EP0696021B1 (en) | Method to determine the actual money amount in a data carrier and system to implement this method | |
EP3125464B1 (en) | Blocking service for a certificate created using an id token | |
WO2022194658A1 (en) | Method for authorizing a first participant in a communication network, processing device, motor vehicle, and infrastructure device | |
DE69900566T2 (en) | Procedure for personalizing an IC card | |
EP1912184A2 (en) | Data generating device and method | |
WO2016071196A1 (en) | Method for altering a data structure stored in a chip card, signature device and electronic system | |
EP4176361A1 (en) | Method and system for starting up or managing an offline control device | |
EP3248356B1 (en) | Certificate token for providing a digital certificate of a user | |
WO2024027869A1 (en) | Secure element, method for registering tokens, and token reference register | |
EP4405879A1 (en) | Coin managing unit, and method in a coin managing unit |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20070410 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
17Q | First examination report despatched |
Effective date: 20071221 |
|
DAX | Request for extension of the european patent (deleted) | ||
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: SIEMENS IT SOLUTIONS AND SERVICES GMBH |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: ATOS IT SOLUTIONS AND SERVICES GMBH |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20160321 |