AU723007B2

AU723007B2 - Method of dynamically interpreting data by a chip card

Info

Publication number: AU723007B2
Application number: AU57678/98A
Authority: AU
Inventors: Kodjo Agbenu; Charles Coulier; Nathalie Feyt
Original assignee: Gemplus SCA; Gemplus Card International SA
Current assignee: Gemplus SA
Priority date: 1996-12-27
Filing date: 1997-12-24
Publication date: 2000-08-17
Anticipated expiration: 2017-12-24
Also published as: EP0974131A1; ATE388455T1; ES2303344T3; FR2757979A1; AU5767898A; JP3671238B2; CA2275940A1; WO1998029843A1; FR2757979B1; DE69738548T2; DE69738548D1; EP0974131B1; JP2001506793A

Abstract

In order to reduce the duration for establishing verification protocols during the connection of a chip card to a reader, to reduce the risks of corruption during this operation and to limit memory occupancy, it is proposed to constitute a signature which can be used for verifying the adequacy of the chip card for implementing an application. This signature is carried out by a signature machine which prepares a concatenated word including all the data required for producing this signature. Thus it is possible to modify on request the structure of the required signature for an application without having to modify the operational system of the memory chip.

Description

METHOD OF DYNAMICALLY INTERPRETING DATA BY A CHIP CARD The present invention relates to a method of interpreting data for an integrated electronic circuit mounted on a portable medium. The invention will be described in a context where the portable medium is a chip card, although other options would also be conceivable such as a 'key with a chip, a token incorporating a chip and others. The invention relates to what happens in the integrated circuit of the medium, regardless of whether it is connected to a reader. However, in order to provide a more comprehensive explanation of the invention, the portable medium described will be one which can be electrically connected to readers.

The invention may also be applied in situations where the portable medium is connected to the reader, without using any actual physical contacts but rather by radio frequency transmission (in the case of portable contactless chip cards), infra-red or other links, for example. In one specific example, what happens in the integrated circuit will depend on the nature of the connection to the reader.

For the purposes of this invention, interpretation of the data will be in the form of a signature. A signature refers to a character string or bit string which is produced from another string by a transformation, which may be simple or complex.

A portable medium of the type relating to the invention consists of an electronic circuit, essentially provided with a memory and an input/output circuit, enabling this memory to communicate with the outside world, in particular a reader. The essential feature of portable media is the fact that the size of their integrated circuit memory is necessarily limited, which in practice restricts the applications for which the medium can be used. In effect, particularly in the case of chip cards, because of the amount of stress to which the electronic circuits embedded in the card will be subjected, these memories will necessarily be small in terms of physical size. In practice, if they are too large, they will in turn be subjected to the same stress to which the card is subjected and will break. Current manufacturing technology being as it is, this size limitation means that the memory space available is restricted. For example, in the current state of the art, a capacity of 64 kilobytes is currently virtually the largest size industrially available.

Consequently, the general problem inherent in portable media is one of limited capacity, even leaving aside these concepts of mechanical fragility.

The input-output circuit may be a wired circuit which performs certain operations or even, preferably, a microprocessor whose actions are controlled by a programme stored in a programme memory. The programme memory is preferably contained in the memory of the integrated circuit. Conventionally, the programme stored in a programme memory has sections which can not be altered. The part of the memory which contains them is therefore a readonly memory (of the non-volatile, EPROM type, for example, which specifically has a floating gate transistor as its memory unit, or of the screened ROM type, in other words made when the integrated circuit is manufactured). The part of the programme which can be changed is saved in a reprogrammable part of the memory (in practice, this reprogrammable part has cells of the non-volatile, electrically programmable and erasable type, EEPROM).

However, these non-volatile memories may also be protected live memories, the back-up being provided in the form of a battery.

In order to link up with the outside world, the portable medium has a connector with a few contacts (generally eight) or a Hertzian or other link. In all instances, transmission between the reader and the portable medium and vice versa is of the serial type. Any exchange of data between these two systems is therefore slower than it would be if a parallel link were used. This slowness is sometimes a nuisance during use.

When a portable medium is connected to a reader, there is usually a recognition phase and an authorisation procedure which occurs prior to the intended transaction.

In a known manner, this recognition may include a verification that the bearer of the portable medium who is making the connection is indeed the authorised holder. This verification procedure is run by obliging the bearer to enter a personal identification number (referred to as a PIN). In theory, this verification may be handled by an algorithm initiated either in the reader, in the portable medium or in the two of them together.

Furthermore, having verified that the bearer is an authorised holder, it is necessary to check that the portable medium is in fact intended for the application or one of the applications available in the reader. In the field of portable media, application is used to describe the series of transactions run both by a microprocessor of the reader and by that of the portable medium in order to meet the requirements expressed by the holder. For example, the reader will be connected to a dispenser for goods or services (automatic drinks dispenser, access barrier to a car park) or the reader will be connected to a data bank (in the case of seat reservations to an airline company or to a car reservation centre of a car-hire company, for example) ;or the reader might be linked to a financial institution enabling the holder to carry out financial transactions. The application or series of instructions carried out in the medium and reader or a connected apparatus, reflect these uses in which the user's requirements are met.

Accordingly, it is necessary to check that the reader and/or the portable medium are compatible with one another.

Verifications of this type are performed by operations referred to as a signature. The operations consist in picking up binary data from the portable medium, preferably relating to the identity of the bearer, the serial number of the card and certain data pertaining to the application, as well as certain electrical states that will indicate the operating status of the electronic circuit of the portable medium. Under normal circumstances, the verification procedure will take account of data relating to the application although, as will be seen below, this is not strictly necessary.

Having picked up these elements, the portable medium or reader will then work out a signature. The most basic signature might be formed by juxtaposing binary data picked up. A more complex system of producing a signature might involve encrypting these data. Once it has been computed, this signature is then compared with a standard signature stored in the reader or in the portable medium. If the verification is positive, the application will then be run as normal.

Generally speaking, the reader picks up various items of data from the portable medium piece by piece. In practice, the operating system of the portable medium's circuit does not give the reader much latitude, the aim being to prevent a reader from being tampered with by persons with fraudulent intent who might attempt to uncover the card's secrets. Picking up data piece by piece has the disadvantage of slowing down the preliminaries which precede the transaction.

Attempts have been made to overcome this problem by permanently storing the constant elements of the signature in the portable medium. For example, attempts have been made to store in a non-volatile memory (preferably even one which can not be modified from the outside) the more commonly requested elements: the references of the service provider, the serial number of the card, certain information pertaining to the application and, more generally, a public or private encryption key.

This has meant that the serial number of the card and the public or private encryption key, for example, have had to be stored in the card memory in as many copies as there are likely to be attempts to run different applications. It should be pointed out that any one service provider, for example a bank, may offer several applications: cash withdrawal, account balance, remote-controlled payments and so on. Consequently, having to duplicate the effective data for the signature as many times as will be needed is a totally disproportionate waste of space. In practice, it is known that a public key alone requires 512 or 1024 bits, for example, which is almost 2% of the maximum memory capacity.

This situation has yet other disadvantages. For reasons of memory size and/or transaction speed, it may be that various service providers will be offered a same operating system for the electronic circuit of the portable medium. For example, there may be a temptation to enforce a situation in which the signatures for all service-providers are set up in the same way. Apart from the fact that such a move, which would soon become publicly known, would offer no guarantee of security, it would also not take account of the legitimate requirements of the service providers to have a signature that suits them.

Otherwise, a manufacturer of portable media would only be able to solve the problem of giving these various service providers an electronic circuit that suited them if this electronic circuit incorporated operating systems in as many variants as there are service providers likely to use this circuit. Yet again, this works to the detriment of 6 the limited memory capacity of electronic circuits used with portable media.

Finally, even if there is no exchange between the reader and the card memory, the limitations of the integrated circuit of this card in terms of architecture represent another flaw. For example, the card's microprocessor has data input registers for processing data entries.

For reasons of space, these registers may be of a limited size. Their limited size may not be sufficient to process too large quantities of data. For example, an input register of this type might operate on two octets, whereas four or ten octets of data will be needed to set up a signature. This being the case, there is still the matter of the application programme having to deal with the consequences of this situation: i.e. organise reiterations. This is a disadvantage in terms of security because what it boils down to is allowing the application programme to process data, the manipulation of which has to be protected.

An object of the invention is to overcome or at least alleviate one or more of the difficulties present in the prior art.

An advantage of the invention is simplification of the operation system for o the card's microprocessor.

2 A further advantage of the invention is to overcome the disadvantages of S 20 limited memory capacity, slow exchanges and complex management by proposing a method of interpreting data which offers two additional features.

On the one hand, it will be possible to set parameters as to how the elements needed for the interpretation are prepared. On the other, the electronic circuit of the portable medium will have a controller to receive these parameters and, 25 at least, to concatenate the data correspondingto these parameters before working out the signature.

0For example, instead of, as is currently the case in the state of the art, asking the reader to pick up from the circuit memory a first set of bits and, having received W:Vnma yMMHNODEL\57678.doc them, request a second set of bits and so on, in order to work out the signature or arrange for it to be worked out, for the purposes of the invention the request issued by the reader is a single composite request which is dynamically interpreted at the level of the circuit. The circuit controller interprets this single request, assembles the requisite data and makes them available to the reader (transmits them to it via the interface) so that the reader can compute the signature or, alternatively, the controller will compute the signature itself. Another alternative is for the controller to prompt a microprocessor of the circuit to work out the signature.

The advantage produced by this is that in the situation where the signature is a simple juxtaposition of elements stored in memory, there is no need to store duplicates of the signature elements for the number of times that the medium can potentially be used. For the purposes of the invention, the signature is dynamically worked out, or the elements are assembled in readiness for working it out, only when needed. The system of permanent storage is replaced by a real time computation.

In one improved approach, provision is also made so that rather than issuing a command which is set up beforehand depending on the type of signature to be computed, the command settings are stored in the circuit memory. In order to prepare the elements needed for the signature, the reader then merely has to indicate to the circuit which of these command settings must be run. The settings indicated in this manner are picked up from the memory and then applied to the controller. By preference, in this case, the controller will have a microprocessor.

Once the controller has been set up with the parameters it has read in the circuit memory, it will run the command by searching for the data elements needed to form the signature as indicated by the parameters.

8 According to the present invention, there is provided a method of interpreting data for an electronic circuit mounted on a portable electronic medium, in particular of the chip card type, in which -several sets of bits are read in succession from addresses of a memory of the circuit and the sets of bits read are interpreted whilst producing a signature on the basis of these sets of bits read, wherein a composite command causes a composite reading procedure to be run in the circuit, this composite reading procedure consisting in reading at least a first set of bits relating to a first address and reading at least a second set of bits relating to a second address, these first and second addresses being parameters of the composite command, the composite command concatenates the first set of bits with the second set of bits, the requested signature :is computed on the basis of the concatenated bits.

The invention will be more readily understood from the description below :and the accompanying drawings. These are given by way of illustration only and are not intended to restrict the invention in any respect. The drawings 20 show the following: figure 1: an integrated circuit architecture which can be used to implement the method proposed by the invention; figure 2: a reader and a portable medium which can be used to implement the method proposed by the invention when transmitting between an 25 integrated circuit and a reader; figure 3: a flow chart showing different steps involved in the method -oproposed by the invention; W:rnary\MMHNODEL57678.dOC figure 4: the description of a message constituting a read request in one practical variant of the method proposed by the invention; figure 5: a schematic illustration of the s architecture of a circuit for a portable medium used for implementing the invention and, in particular, another embodiment of the invention.

Figure 1 illustrates an integrated circuit architecture which will implement the method proposed by the invention. A microprocessor 1 is connected to a programme memory 2, a data memory 3 and two input and output registers 4 and 5 respectively, via a data, address and command bus 6. In order to compute a signature (a string of bits) using the prior art, a programme 7 would need to incorporate as many instructions as would be necessary. In the case of the invention, these instructions are replaced by a composite instruction OC accompanied by parameters Al, An. In order to simplify the system, these parameters represent, for example, addresses in the memory 3 at which the sets of bits SET 1, SET 2, SET n, used to make up the signature are respectively located.

The composite command basically incorporates the following micro-instructions: read 1 or m parameters of the command OC, from the memory 3, for example, pick up the first sets of bits necessary located at the address read in the command OC, load these sets of bits into the register 4, process these sets of bits using the microprocessor i, transfer the processed bits to the register reiterate this sequence of micro-instructions for the subsequent sets of bits until all the parameters associated with the composite command OC have been used.

This reiteration will include a test to check whether the parameter or parameters which have just been processed are the last ones or whether they are followed by others.

For example, in one specific architecture of the integrated circuit, which has a two-octet input register 4 and assuming that each of the bits is one octet, the composite command OC will cause the designated sets of bits to be processed two by two (m=2 in this case); starting with addresses Al and A2, for example. The sets of bits will then be picked up from two addresses for subsequent parameters until all the parameters Al to An have been used.

In practice, the sequence of micro-instructions mentioned above will be a command OC in the operating system of the microprocessor 1. In one variant, a wired circuit with a sequencer or a looped sequential circuit may be used if it is not desirable to incorporate the command OC in the operating system of the integrated circuit.

The processing performed in the microprocessor 1 can be reduced to its most basic expression: i.e. nothing at all. This being the case, insertion in the register 4 (which may even be merged with the register 5) will be the end of one iteration. In actual fact, running the command OC is essentially a concatenation: i.e. it involves placing bits from sets 1 side by side with bits from sets 2 to n, in a sequence that is determined beforehand.

In an improved version, the set of addresses Al, An used as parameters is replaced by a logic reference or special address X. The requisite addresses Al, A2, An will be stored at the address X in the memory 3 or even in another special memory for parameters 7. If only one special address X is used, this address X does not even have to be explicitly present as a parameter in the command OC. It merely needs to be implicit: the command OC will then start by reading the contents of the special address X. However, it may be that there are several special addresses, X and Y for example. In this case, the command OC will be set up by the special address or addresses X or Y at which the addresses Al, A2, An and BI, B2, Bn of the sets of bits to be processed are located.

In the situation where there are one or more special addresses, the command OC will include an additional microinstruction which will detect whether the next parameter to be processed (Al, A2 or X) corresponds to a special address or not. The special addresses will be those which contain a specific bit conformation, for example. The test microinstruction which detects whether the address is a special one or not may even be incorporated in the reiteration loop of the command OC so that, instead of an address An, another special address Y (which in turn will prompt processing of another set B1 to Bn of parameters) can be loaded at the address X in memory 7 in a last parameter location at this address.

If a special address is incorporated, the command OC will then include an operation, prior to or whilst performing the iterations, consisting in reading the contents of the address Al, An, which are themselves contained in the special address X in question.

A part of the addresses or parameters may be incorporated in the command OC and another part or the complete entity may come from a transmission external to the circuit. This approach will be described in detail below.

Figure 2 illustrates a system which can be used to implement the method proposed by the invention. This system has a unit for portable media such as a chip card 8. This chip card has an electronic circuit 9 connected to contact terminals 10 visible on the surface of the card. These contact terminals 10 are used to connect the electronic circuit 9 to the outside world. However, connection may also be made by means of an antenna 11 embedded in the body of the portable medium or optionally may even be incorporated in the surface-mounted electronic circuit 9.

The card is designed to connect with a reader 12. In this case, the connection is an electrical link, the contact terminals 10 being placed in contact with contact terminals of the reader 12. The reader 12 generally, although not necessarily, has a keyboard 13 and a screen 14. As a rule, the reader 12 will have a microprocessor.

Displayed on the screen 14 are messages designed to guide the transaction or provide information about its progress.

As an example, the reader 12 might be used in the context of a service device 15 (access to a car park), a goods dispensing device 16 (a drinks dispenser) or a device 17 comprising a data base (financial or for documents) The reader 12 may be connected to one or several of these devices. The link envisaged in this case is a real time link. However, it may be a delayed link. The link between the reader and the device is not necessarily a physical link and may instead be a Hertzian transmission across a channel or any other means.

The mode of exchange between the medium 8 and the reader 12 consists of two main phases, a recognition phase illustrated as a whole in figure 3 and a transaction phase with the devices 15 to 17 which will not be described here since this aspect is conventional. The recognition phase generally involves verification of the bearer by the device and verification that the medium 8 and the reader 12 are capable of operating an application which the user wants to run.

Figure 3 illustrates an initial verification of the bearer before moving on to running the verification pertaining to the application. However, it would be perfectly feasible to reverse the order of these two checks. It would also be possible to dispense with the verification of the bearer altogether. If this verification is run, it will proceed as follows. Firstly, the medium 8 is connected to the reader 12. As soon as it is connected, a detector of the end-position detection type will detect that the medium has been inserted and connected to the reader 12.

Then, in one example, the circuit 9 will take over the transaction and run a request for information relating to the idehtification number of the holder (PIN). In practice, the circuit 9 issues a message to the reader to prompt such a request. This request takes the form of a message appearing on the screen 14 requesting the holder to enter the characters of his personal identification code from the keyboard 13. Optionally, it will not be an express request from the circuit 9 which causes the message to appear on the screen 14. In this case, it will be the reader 12 which assumes authority over the transaction whilst the circuit 9 switches to a reception standby mode. The operator will then enter his PIN code.

During a following step, the personal identification information of the bearer will be transmitted to the medium by the reader for checking. In the example described, this check is run in the circuit 9. However, it would also be possible to reverse the verification mode and have the information pertaining to the (theoretical) identity of the bearer sent from the circuit 9 to the reader and compare these two sources of information in the reader.

In reality, this principle of checking is implemented in a much more complex manner. In effect, the exchanges between the reader 12 and the circuit 9 for the purposes of checking the identity of the bearer are not performed until the messages to be sent have been encrypted.

At the end of the verification procedure, the verifying unit issues a reject message if unsuccessful or, in the opposite situation, moves on to the sequence of operations (possibly displaying information on the screen 14 confirming that this first check was successful).

In one example, the circuit 9 will then send to the reader a menu to be displayed on the screen 14. The menu will provide information about what applications are available from the medium 8 and the reader 12. For example, if the medium is a bank card of the VISA, MASTERCARD or CB (Carte Bleue) type, a message representing this type of application can be sent to the reader 12 by the medium 8.

If the medium 8 is a card of the multi-function type, all the available functions will be displayed: a function giving access to a car park controlled by the device 15, a function offering an item via a counter 23 controlled by the device 16, a function for running a bank transaction by connection to the data base 17 or still other functions.

Each function is shown by some form of indication on the screen 14, generally a line of plain text stating what the function is. The functions available on the card will not be displayed unless they can also be offered by the reader 12.

The user selects a menu option using a pointer device on the keyboard 13 and asks for it to be run by using an "ENTER" key on this keyboard, for example. Under these circumstances, the microprocessor of the reader 12 is notified of the application concerned. The reader will then ask the circuit 9 to prepare a specific signature in order to verify that the medium 8 is indeed capable of running the application in question.

If there is no keyboard 13 or screen 14, only one of the devices 15 to 17 will of course be connected to the reader. This being the case, no choices will be offered.

The reader will therefore not need to receive a menu from the circuit 9. Also in this case, the reader will know exactly what type of signature it must run from the medium.

j Figure 4 and figure 5 respectively show a command structure for preparing the signature sent by the reader 12 to the circuit 9 and the operations run by the circuit 9 accordingly, as proposed by the invention. As mentioned in connection with figure i, in a general case, the circuit 9 will have a microprocessor 1. The microprocessor 1 is connected via a data, command and address bus 6 to the first memory 2 containing an operating programme. Connected to the same bus, the circuit 9 will also have a set 18 of data memories, one or several dynamic memory registers 4 (RAM) and an input/output interface 19 connected to the connector 10. In principle, the microprocessor of the circuit 9 knows that it must use the bus 6 to search the memory 2 for instructions, process them and send them to their destination (normally indicated in the instruction code), which will be either a memory or the interface 19.

For example, the programme memory 2 is shown as having a macro-instruction PIN corresponding to the holder verification described above. For the purposes of the invention, the programme memory 2 will also have a composite command OC for computing the signature as proposed by the invention.

If the reader 12 is capable of sending several commands to the card, the command to prepare the signature will have to incorporate an instruction indicating that this command is itself a command OC for preparing the signature. In zone 20 of figure 4, the command which is issued therefore includes the designation OC. In the specific example of application 15, on the other hand, it would not even be necessary for the signature command OC to be sent because the only thing likely to be requested is precisely a signature. Nevertheless, as a general rule, the command requesting a signature to be prepared will include an instruction OC to this effect. For reasons of simplicity, in this present request, the nature of the messages transmitted are sent in plain language (OC).

Clearly, in reality, strings of bits are transmitted, each plain text expression therefore being coded in binary.

The command to prepare the signature will also include at least two address names for sets of bits, i.e. two parameters. In a more general case, there will be n parameters, n being greater than or equal to two. These parameters provide information about the addresses to be designated in the memories of the unit 18, and, in a preferred example, about the quantities of bits to be picked up from these designated addresses. For example, a first parameter will relate to an address ADR1 and a name of a batch of bits: DES-lot-1. In one example, the batch of designated bits contains all the bits available at the address ADR1. In this example, the bits represent the identity of the service provider who has issued the card.

If it is a bank, for example, this will be the name and references of the bank (in coded form). However, it would also be feasible to pick up only some of the bits from the address ADR1. If, in particular, this name and these references take up several octets, it would be possible to take only one octet into consideration or only several consecutive octets of this name. At this point, what is important is to denote the locations in the memory 18 from which the data of the first argument has to be picked.

The prepare command also includes the name of at least a second argument designating in a similar manner other parts of the memory 18, or optionally the same parts designated a second time but possibly with perhaps a choice of different designated octets or the same choice.

In practice, the different zones of the unit 18 concerned are a zone 21, which- is a zone containing information pertaining to the service provider and the serial number of the card. A zone 22 may contain information relating to the application, for example a counter number 23 at which one might be served with the card via the apparatus 16 or quite simply the programme that will be run for the relevant application. A third zone 24 may be used to store other information specific to the card, for example a random number (generated anew each time the card is electrically connected) or a transaction counter by means of which the card will simply indicate the number of times it has been used since it was initially set up. In this example, the zones 21, 22 and 24 of the memory will be zones of the read-only type based on an EPROM memory cell of the OTP type (One Time Programming), which is programmable only once. The zone 22 will tend to be made up of memory cells of the EEPROM type, which are erasable and re-writable. Zone 24 will consist of volatile memory cells which may be static and dynamic for the random number, or non-volatile cells for the counter.

When the command to prepare the signature has been sent with its various parameters, it is received in the microprocessor 1 of the circuit 9. The microprocessor 1 will then look up the memory 2 to extract and then run the micro-instructions relating to the command OC which it received. For the purposes of the invention, this command OC consists of picking up the batch of bits 1 from the address ADRI in zone 21, for example, the batch of bits 2 from the address ADR2 in zone 22 and so on up to the batch of bits n at the address n. It then consists in assembling these in the sequence requested in the command to prepare the signature.

The assembly process in this specific sequence is referred to as concatenation. In practice, it consists in using a certain number of words of a bits, b bits, c bits, etc., to form a single word of (a b c) bits. A distinction can be made between simple concatenations which are those conforming to this basic pattern and complex concatenations in which bits of words that were initially consecutive may not be placed in consecutive positions in the concatenated word. With certain words, optionally, their binary weight may be inverted in the concatenated word. Other combinations are also feasible. When setting up a concatenation, it is also possible to compute a key, which is added to the end of the concatenated word. In some instances, it is therefore possible to apply more complex processing to the words picked up. The complex transaction is normally the signature, strictly speaking. A signature of this type consists in producing a representative binary string, conforming to a given algorithm that is known in advance, of the bits picked up. For the purposes of the invention, composite command OC is strictly speaking intended to mean at least the process of preparing all the bit strings designated in the signature parameters. The algorithm may be applied as an additional feature. It is run by the microprocessor 1.

If the signature (implementation of the algorithm) is composed by the reader, the concatenated bits are sent to the reader during a transaction 25 (figure There are various ways of doing this. Firstly, the microprocessor 1 or controller which is running the process of preparing the signature proposed by the invention is sufficiently quick for it to be unnecessary to store the concatenated global word in a main register 5. This being the case, the bits of the concatenated word are fed onto the interface 19 in the direction of the reader 12 as and when they are extracted by the microprocessor 13 from the zones 21, 22 and 24.

However, for reasons of simplicity, it is preferable to store them initially in a register 5 (or 4 if no processing is involved). After step 25, once the bits have been received by the reader 12, the reader composes the actual signature, which may be simple or complex. This signature is then compared 27 with a standard signature which is also provided by the medium 8 or is known to the reader 12 in advance. At the end of the comparison 27, the remainder of the transaction can be run with the reader 12.

Alternatively, a reject message will be issued if the verification procedure failed.

In another variant where the signature is composed by the medium 8, processing may be applied directly during concatenation, as and when the elements picked up from the memories 21, 22 and 24 are applied to the bus 6. However, there may be a step 28 in which the concatenated word is stored in a volatile memory (RAM) or in a non-volatile memory (EPROM) Then, in the following step 29, the medium 8 will assume the task of signing in accordance with an algorithm determined beforehand. During a later step 30, it will check that the computed signature corresponds to an anticipated signature and, like the reader 12, prompt the continuation of the transaction or its failure by issuing a reject.

In figure 3, the links shown by broken lines indicate those aspects which are optional in some of the steps described for the purposes of the invention. The special feature of the invention is that it allows a signature to be prepared for different types of signature. In a banking application, for example, depending on whether the card is of one type or another, VISA, MASTERCARD or CB, for example, the command of figure 3, sent by the reader to the card, will be (once its type has been recognised) a command which contains the requisite parameters accordingly. The organisation and the order of rank of the information within the concatenation in particular will be dependent on the type of application selected and the type of bank detected.

Accordingly, the command that is issued will contain a first character string 20 OC, or OC VISA or OC MASTERCARD, indicating that the elements of a signature have to be prepared. The next (or preceding) parts 31 of the same message of the command will provide information relating to the different parameters of the signature. The command illustrated in figure 3 is, of course, encapsulated by signalling bits 32 and conventional bits 33.

As mentioned above, the part 20 of the command may not be necessary if the reader is of the type which does one thing only: contributes to composing a signature.

Similarly, this part 20 will not be necessary in terms of receiving on the circuit 9 if, for example, it is the only request likely to be run by a reader taking over the transaction once the circuit 9 has been placed in standby at the end of the bearer verification transaction.

Similarly, the parts 32 and 33 may contribute towards the definition of the command. The bit string 32 representing a piece of information denoting a beginning (START), transmission or synchronisation may replace the command OC, which is not transmitted. The number of parameters requested may differ from one application to another (regardless of the addresses indicated) and the end command 33 may implicitly indicate the total number of parameters required to compute the signature. At the end of the day, the only things which must be contained in the message sent by the reader to the circuit, in all instances, are the parameters needed for the signature. In the circuit 9, only the controller preparing the signature is necessary and the signature itself can be handled by the circuit 9 or the reader 12 or even by the two in conjunction with one another.

In an improved version, the reader will not even send the parameters 1 to n mentioned above to the circuit 9. In order to run the transaction of preparing the signature, it will send nothing more than a name of the type of signature which has to be prepared. Accordingly, depending on whether the application is of the VISA, MASTERCARD or CB type, instead of and in place of the parts 20 and 31 of the message, the reader will send a piece of information relating respectively to the command OC and to VISA, MASTERCARD, CB or any other. The definition of VISA, MASTERCARD or CB will represent a special address X, Y or Z from which the requisite parameters have to be picked up.

The microprocessor which receives this name associated with a command for a signature of a different type will run an additional prior transaction during a special signature transaction. In order to perform this special signature preparation, the microprocessor 1 will initially look in a special address zone of the memory 34, preferably of the read-only memory type which can not be programmed by the user, for the parameter information 1 to n or p to q or v to w corresponding to the relevant application indicated.

In other words, this approach avoids having to transmit on the link between the circuit 9 and the reader 12 the whole part 31 of the message, which might be long.

The part 20 may be transmitted depending on the requirements of the circuit 9 and depending on whether it is expected by its operating system or not. If it is not expected, it will be its operating system which governs the chronological order in which it can initiate transactions.

If, however, the bus 6 in the circuit 9 is of the parallel type, the procedure outlined above by which the signature is prepared will be much quicker if the microprocessor 1 reads the parameters from the memory 34 instead of receiving them via the interface 19. In terms of memory requirement, each parameter may be equivalent to four octets: 2 start address octets from one part of the memory 21, 22 or 24 to be read and two octets for the end address of this part. This will make four octets. Setting a practical limit of five or six parameters, the maximum space requirement would be 20 octets with the variant in which the preparation and concatenation structure is stored in the circuit 9. This compares with 128 octets needed to store just the secret key or public key in memory using methods of the prior art.

Finally, the invention has two additional advantages over the prior art. On the one hand, because exchanges between the medium and the reader 12 are limited, there is first of all less risk of the bits transmitted between the medium and the reader being corrupted and there is therefore less opportunity for anyone with fraudulent intent to find out what is happening.

Secondly, the invention allows the nature of the signature used to be amended at the request of the service provider. In effect, the controller function stored in the programme memory 2 for the signature merely has to be launched, which can be done by the microprocessor 1 when the command OC is received in the message 20, 31. The command OC does not need to know which parameters are required for the signature: Al to An. If a service provider wants to change the nature of the verification transaction used for his application, he will merely need to amend the parameters used for his signature command in the readers 12 concerned. In another variant, it may be that the memory 34 can be re-written (optionally under certain conditions) so that the nature of the parameters stored there for the application concerned can be amended.

Under certain circumstances, in addition to the progressive concatenation, the composite command may also run an encryption algorithm, for example an RSA algorithm, the parameters of which will indicate the data in the memory from which the encrypted result must be computed.

Claims

1. A method of interpreting data for an electronic circuit mounted on a portable electronic medium, in particular of the chip card type, in which several sets of bits are read in succession from addresses of a memory of the circuit and the sets of bits read are interpreted whilst producing a signature on the basis of these sets of bits read, wherein a composite command causes a composite reading procedure to be run in the circuit, this composite reading procedure consisting in reading at least a first set of bits relating to a first address and reading at least a second set of bits relating to a second address, these first and second addresses being parameters of the composite command, the composite command concatenates the first set of bits with the second set of bits, the requested signature is computed on the basis of the concatenated bits. e

2. A method as claimed in claim 1, wherein the circuit is connected to a reader, :o the reader sends a request to the circuit to compute a signature and the circuit issues a message corresponding to the concatenated bits.

3. A method as claimed in claim 2, wherein S 25 a request to compute a signature accompanied by arguments (RSA) is sent to the circuit and the parameters of the composite command are replaced by the arguments transmitted.

4. A method as claimed in claim 3, wherein the composite command is run by completing the transmitted arguments with parameters specific to the medium. A method as claimed in any one of claims 1 to 4, wherein W:marya\MMHNODEL57678.doc 24 the parameters of the composite command are filed at a special address, the composite command is run by firstly reading the contents of the special address and by using as parameters for this command a part of the contents that were read at the special address.

6. A method as claimed in claim 5, wherein the composite command is re-run for another part of the contents of the special address and this re-run is reiterated to the end of the contents of the special address.

7. A method as claimed in claim 6, wherein a test is run to ascertain whether the contents of the special address are in turn another special address and, if such is the case, the composite command is re-run for a part of the contents of this other special address. 0 A method as claimed in any one of claims 1 to 7, wherein 20 a simple signature is computed on the basis of the bits read. 0°o S9. A method as claimed in any one of claims 1 to 7, wherein a complex signature is computed on the basis of the bits read, 0 whereby, after reading and concatenation, the composite command processes 25 the bits read in order to transform them into different bits.

10. A method as claimed in any one of claims 1 to 9, wherein the signature is computed in the circuit.

11. A method as claimed in any one of claims 1 to 10, wherein the first set of bits and the second set of bits are separate and are selected from bits representing the identity or references of a holder of the medium, a secret code or a serial number of the circuit, W:marvWMHNODEL\57678.dOC data pertaining to a specific use of the medium, or a transaction counter, a random number or dynamic data contained in the circuit.

12. A method as claimed in any one of claims 1 to 11, wherein a message sent by the reader to the circuit requesting the composite reading procedure will be different in nature depending on whether the circuit is to be used for a first application (VISA) or for a second application (MASTERCARD) which is different from the first.

13. A method of interpreting data, substantially as herein described, with reference to the accompanying drawings.

14. A method of interpreting data, as herein described, with reference to any of the examples. DATED: 3 February 2000 PHILLIPS ORMONDE FITZPATRICK 20 Patent Attorneys for: GEMPLUS S.C.A. *9 9 W:\mary\MMHNODEL57678.doc