United States Patent [19]
`Chan et al.
`
`US006005942A
`[11] Patent Number:
`[45] Date of Patent:
`
`6,005,942
`Dec. 21, 1999
`
`[54] SYSTEM AND METHOD FOR A MULTI
`APPLICATION SMART CARD WHICH CAN
`FACILITATE A POST-ISSUANCE
`DOWNLOAD OF AN APPLICATION ONTO
`THE SMART CARD
`
`[75] Inventors: Alfred Chan, Daly City; Marc B.
`Kekiche?', Palo Alto; J oel M. Weise,
`Burlingame; David C. Wentker, San
`Francisco, all of Calif.
`
`[73] Assignee: Visa International Service
`Association, Foster City, Calif.
`
`[21] Appl. No.: 09/046,993
`[22] Filed:
`Mar. 24, 1998
`
`Related US. Application Data
`[60] Provisional application No. 60/061,763, Oct. 14, 1997, and
`provisional application No. 60/041,468, Mar. 24, 1997.
`
`[51] Int. Cl.6 .............................. .. H04L 9/00; H04L 9/08;
`G07F 7/08
`[52] U.S. Cl. ................................. .. 380/25; 380/9; 380/21;
`380/23; 380/24; 380/29; 380/30; 380/49;
`380/50; 235/379; 235/380
`[58] Field of Search .................................. .. 380/4, 23, 24,
`380/25, 49, 50, 59, 9, 21, 29, 30; 235/379,
`380, 382; 379/9301, 93.05, 93.06, 93.12
`
`[56]
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5/1988 Daughters et al. ................... .. 235/487
`4,742,215
`7/1994 Lundstrom et al.
`235/380
`5,332,889
`1/1995 Lundstrom et al. .
`235/380 X
`5,378,884
`6/1996 Taylor
`235/380
`5,530,232
`5,583,933 12/1996 Mark ..................................... .. 380/9 X
`
`FOREIGN PATENT DOCUMENTS
`
`E 100227 11/1994 Austria .
`0193635 A1 9/1986 European Pat. Off. .
`19607363 A1 9/1996 Germany .
`
`OTHER PUBLICATIONS
`
`EPO, International Search Report, Jul. 3, 1998, International
`Application No. PCT/US 98/05674.
`Carol Hovenga Fancher,“In Your Pocket Smart Cards”, Feb.
`1997, IEEE.
`Chaum et al., “Smart Card 2000: The Future of IC Cards”,
`Oct. 19, 1987, Elsevier Science Publishers B.V.
`Steven Levy, “E—Money (That’s What I Want)”, Dec. 1994,
`Wired Magazine.
`Carol H. Fancher, “Smart Cards as Potential Applications
`GroW, Computers in the Wallet are Making Unobtrusive
`Inroads”, Aug. 1996, Scienti?c American Website.
`Jerome Svigals, “Smart Cards The NeW Bank Cards”, 1985,
`MacMillan Publishing Company.
`Roy Bright, “Smart Cards: Principles, Practice, Applica
`tions”, 1988, Ellis HorWood Limited.
`Jerome Svigals, “Smart Cards The Ultimate Personal Com
`puter”, 1985, MacMillan Publishing Company.
`HaWkes et al., “Integrated Circuit Cards, Tags and Tokens”,
`1990, BSP Professional Books.
`
`Hiro Shogase, “The Very Smart Card: A Plastic Packet
`Bank”, Oct. 1988, IEEE Spectrum.
`David Naccache, “Cryptographic Smart Cards”, Jun. 3,
`1996, IEEE Micro 1996 Website.
`Zoreda et al., “Smart Cards”, 1994, Artech House.
`“Identi?cation Card Systems—Inter—Sector Electronic
`Purse Part 1: Concepts and Structures”, 1994, European
`Standard, prEN 1546.
`“Identi?cation Card Systems—Inter—Sector Electronic
`Purse Part 2: Security Architecture”, 1994, European Stan
`dard, prEN XXXXX—2.
`“Identi?cation Card Systems—Inter—Sector Electronic
`Purse Part 3: Data Elements and Interchanges”, 1994, Euro
`pean Prestandard, prEN 1546—3.
`“Identi?cation Card Systems—Inter—Sector Electronic
`Purse Part 4: Devices”, 1994, European Prestandard, prEN
`1546—4.
`“Identi?cation Cards—Integrated Circuit(s) Cards With
`Contacts Part 1: Physical Characteristics”, 1987, Interna
`tional Standard, ISO 7816—1, First Edition.
`“Identi?cation Cards—Integrated Circuit(s) Cards With
`Contacts Part 2: Dimensions and Location of the Contacts”,
`1988, International Standard, ISO 7816—2, First Edition.
`“Identi?cation Cards—Integrated Circuit(s) Cards With
`Contacts Part 3: Electronic Signals and Transmission Pro
`tocols”, International Standard, ISO/IEC 7816—3, First Edi
`tion.
`“Identi?cation Cards—Integrated Circuit(s) Cards With
`Contacts Part 4: Inter—Industry Commands for Interchange”,
`International Standard, ISO/IEC 7816—4, First Edition.
`“Identi?cation Cards—lntegrated Circuit(s) Cards With
`Contacts Part 5: Numbering System and Registration Pro
`cedure for Application Identi?ers”, 1993, International Stan
`dard, ISO/IEC DIS 7816—5.
`“Identi?cation Cards—Physical Characteristics”, 1995,
`International Standard, ISO/IEC 7810, Second Edition.
`“Identi?cation Cards—Recording Technique—Part 1:
`Embossing”, 1995, International Standard, ISO/IEC
`7811—1, Second Edition.
`
`(List continued on next page.)
`
`Primary Examiner—Bernarr E. Gregory
`Attorney, Agent, or Firm—Beyer & Weaver, LLP
`[57]
`ABSTRACT
`
`A system and method alloW card issuers to securely add
`applications during the lifetime of the card after the card has
`already been issued (post issuance). Loading of an applica
`tion and/or objects from an application server via a card
`acceptance device (and its supporting system infrastructure
`delivery mechanism) onto a card post issuance is performed
`in a secure and con?dential manner. A smart card includes
`a card domain application that manages the card. Any
`number of security domain applications on the card provide
`security for loaded applications by managing keys; each
`application is associated With a security domain. Each of the
`card domain and security domains has a command interface
`for off-card communication, and an API for internal card
`use. The card life cycle includes the states of masked,
`initialized, load secured and blocked. An application life
`cycle includes the states of not available, loaded, installed,
`registered, personalized, activated and blocked. An applica
`tion can block the card.
`
`24 Claims, 15 Drawing Sheets
`
`SIERRA WIRELESS 1020
`
`

`
`6,005,942
`Page 2
`
`OTHER PUBLICATIONS
`“Identi?cation Cards—Recording Technique—Part 2: Mag
`netic Stripe”, 1995, International Standard, ISO/IEC
`7811—2, Second Edition.
`“Identi?cation Cards—Recording Technique—Part 3: Loca
`tion of Embossed Characters on ID—1 Cards”, 1995, Inter
`national Standard, ISO/IEC 7811—4, Second Edition.
`“Identi?cation Cards—Recording Technique—Part 5: Loca
`tion of Read—Write Magnetic Track—Track 3”, 1995, Inter
`national Standard, ISO/IEC 7811—5, Second Edition.
`“Identi?cation Cards—Recording Technique—Part 6: Mag
`netic Stripe—High Coercivity”, 1996, International Standard,
`ISO/IEC 7811—6, First Edition.
`
`“Identi?cation Cards—Financial Transaction Cards”, 1990,
`International Standard, ISO/IEC 7813, Fourth Edition.
`“Identi?cation Cards—Financial Transaction Cards Arnend
`rnent 1”, 1996, International Standard, ISO/IEC 7813,
`Fourth Edition.
`“Identi?cation Cards—Countless Integrated Circuit(s)
`Cards—Part 1: Physical Characteristics”, 1992, Interna
`tional Standard, ISO/IEC 10536—1, First Edition.
`“Identi?cation Cards—Contactless Integrated Circuit(s)
`Cards—Part 2: Dimensions and Location of Coupling
`Areas”, 1995, International Standard, ISO/IEC 10536—2,
`First Edition.
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 1 0f 15
`
`6,005,942
`
`/8 f
`
`O_In_<m_OOPn_>mO
`
`mIDOOE
`
`MOwWmOONEOMQE
`
`
`
`Cm< 10in;
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 2 0f 15
`
`6,005,942
`
`€6A
`
`Q65
`
`APPLET 1
`
`APPLET 2
`
`CARD APPLICATION PROGRAMMING
`INTERFACE
`(CARD API)
`
`204
`’\/
`
`OPERATING SYSTEM
`
`200
`/\/
`
`SMART CARD SOFTWARE LAYERS
`
`FIG. 2
`(PRIOR ART)
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 3 0f 15
`
`6,005,942
`
`308
`/'
`
`CARD DOMAIN
`
`COMMAND
`INTERFACE
`
`DOMAIN API
`
`/- 35o
`/
`<
`
`APPLET
`
`APPLET
`
`APPLET
`
`306
`
`/
`OPEN
`PLATFORM
`API
`(OP API)
`
`COMMAND
`INTERFACE
`/
`
`\
`
`354A
`305A
`
`COMMAND
`INTERFACE
`I
`
`\
`
`3543
`3055
`
`COMMAND
`INTERFACE
`l
`
`\
`
`354C
`3050
`
`7
`
`CARD APPLICATION PROGRAMMING INTERFACE
`(CARDAPI)
`\ 304
`
`II
`
`II
`
`OPERATING SYSTEM
`
`\ 300
`
`FIG. 3A
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 4 0f 15
`
`6,005,942
`
`310A /
`
`/ 310B
`
`SECURITY DOMAIN 1
`
`SECURITY DOMAIN 2
`
`3 320A
`COMMAND
`INTERFACE
`
`K308‘
`
`i 322A
`SECURITY API
`
`<
`
`3 320B
`COMMAND
`INTERFACE
`322B
`g
`SECURITY API
`
`CARD DOMAIN
`3352'
`COMMAND
`INTERFACE
`S350‘
`DOMAIN API
`
`<
`
`APPLET
`
`APPLET
`
`APPLET
`
`306‘
`
`I /
`OPEN
`PLATFORM
`
`(
`
`)
`
`COMMAND
`INTERFACE
`/
`
`\
`
`354A‘
`.
`305A
`
`COMMAND
`INTERFACE
`I
`
`\
`
`3548'
`.
`3058
`
`COMMAND
`INTERFACE
`I
`
`\
`
`3540'
`.
`3050
`
`CARD APPLICATION PROGRAMMING INTERFACE
`(CARD API)
`\ 304'
`
`v
`
`>
`
`OPERATING SYSTEM
`
`FIG. 3B
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 5 0f 15
`
`6,005,942
`
`400
`ISSUE A SMART /\/
`CARD
`
`I
`
`402
`FORWARD AN APPLICATION TO N
`THE ISSUED SMART CARD
`
`I
`
`LOAD THE APPLICATION ONTO THE N 404
`SIvIART CARD USING THE CARD
`DOIvIAIN
`
`FIG. 4
`
`CREATE A SMART CARD AND PROVIDE A
`FIRST APPLICATION TO THE SMART @1002
`CARD THAT INCLUDES A
`CRYPTOGRAPHIC SERVICE
`
`I
`
`1004
`f\/
`
`LOAD A SECOND APPLICATION
`ONTO THE SMART CARD
`
`I
`
`INSTALL THE SECOND APPLICATION M1006
`USING THE CRYPTOGRAPHIC
`SERVICE OF THE FIRST APPLICATION
`
`FIG. 5
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 6 0f 15
`
`6,005,942
`
`ISSUER DEPLOYS SMART
`CARDS TO CUSTOMERS
`
`I
`
`A DECISION IS MADE TO INSTALL A
`VENDOR APPLICATION ONTO A CARD
`
`I
`
`WHEN A DIALOG BETWEEN THE ISSUER AND THE
`CARD IS INITIATED, A PRE-SIGNED COPY OF THE
`APPLICATION IS FORWARDED TO THE CARD
`
`I
`
`CARD DOMAIN DECRYPTS THE APPLICATION
`AND CHECKS SIGNATURE OF APPLICATION
`
`IS
`SIGNATURE
`VALID?
`
`APPLICATION RECEIVES
`PERSONALIZATION DATA
`
`/\J
`
`513
`I
`APPLICATION INVOKES CARD /\J
`DOMAIN DECRYPTION sERvICE
`
`514
`I
`CARD DOMAIN PERFORMS A N
`SIGNATURE CHECK
`
`518
`I
`ACTIVATE THE APPLICATION N
`
`FIG. 6
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 7 0f 15
`
`6,005,942
`
`700
`
`FIG. 7A
`
`750
`
`Load
`
`FIG. 7B
`
`752 @ Install
`754 @ Register
`applet % Personalize
`applet @ Block
`applet Q 760
`
`delete
`
`delete
`
`delete
`
`756
`
`758
`
`unblock
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 8 of 15
`
`6,005,942
`
`Sm
`
`Now
`
`
`
`moms_om_c_2m:o=mo__qq<
`
`
`
`__Emc_mzsowm9:mctzu
`
`cam:new
`
`
`
`_>_om_o®v_mm_>_
`
`Smma:3:8$5
`__m..w:_mcsomm._._o:mo__Qq<Emu9:.5m.___
`
`
`
`
`__>_omnm_m2:5m_o98
`
`asE.&<
`
`
`
`.6EmE8.6m..__BN5uco__E:umw:
`
`m..__o.&<
`
`m..®_u_
`
`n2_Qxm\umxoofiEmu
`
`_m..mc_
`
`
`
`ucm__E:umm:mo:.m:wm_38E8889:m:_._:u
`
`.....:__wwcmsmflyou5m_mm.,._._:uumvmo_m.___9m_QEoo_>r__nomm_mo_._
`
`
`
`_>_Ow_n_mm_:o:mo__Qq<s_omn_mm_.2go:uwm:vow
`
`
`
`
`
`
`
`
`
`
`Ho:.uw_umo___>_Om_n._m_m_.:o:mN__m__._c_Emuhoumm:._WEm.
`
`
`mzsommEmuB.6Em9.:Emu+0__£=s_umvmo_m.___Bm_aEooo..m_gEoo
`
`
`
`:o=mo_Ea<:o:.mo.__qa<mccru“.voumm_9::
`
`:_m_n_..c_m.n__co:mN__m:_:_w:__
`
`E89:.5oz
`
`SIERRA WIRELESS 1020
`
`SIERRA WIRELESS 1020
`
`
`
`
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 9 0f 15
`
`6,005,942
`
`600
`AN APPLICATION IS IN USE NJ
`
`I
`
`602
`APPLICATION DETECTS A
`PROBLEM WHICH TRIGGERS N
`A CARD BLOCK REQUEST
`
`II
`
`‘504
`APPLICATION SENDS A
`CARD BLOCK REQUEST A“
`TO CARD DOMAIN
`
`CARD BLOCK
`
`608
`CARD DOMAIN DOES N
`NOT BLOCK CARD
`
`610
`CARD DOMAIN AUTHORIZED N
`THE CARD BLOCKING
`
`I
`
`612
`
`CARD DOMAIN BLOCKS A)
`CARD
`
`FIG. 9
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 10 0f 15
`
`6,005,942
`
`308
`
`CARD DOMAIN
`
`"
`
`SECURITY DOMAIN A 310A
`Oq
`6%
`
`MASKED
`APPLICATION
`
`305A
`r)
`
`SECURITY DOMAIN B
`
`3108
`
`I
`
`3058
`
`POST ISSUANCE
`LOADED APPLICATION
`
`FIG. 10
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 11 0f 15
`
`6,005,942
`
`1100
`ISSUER DECIDES TO INCLUDE A N
`SECURITY DOMAIN ON CARD
`
`V
`ISSUER ASSIGNS A SECURITY /\11O2
`DOMAIN TO VENDOR A
`
`I
`
`1104
`VENDOR A (OR AN APPLICATION DEVELOPER ON
`BEHALF OF VENDOR A) GENERATES SECRET N
`KEYS AND SENDS THE KEYS TO A CARD
`PERSONALIZATION AGENT IN A SECURE MANNER
`
`I
`
`1106
`CARD PERSONALIZATION AGENT RECEIVES KEYS
`AND LOADS A SECURE DOMAIN KEY ASSOCIATED /\/
`WITH A SPECIFIC SECURITY DOMAIN FOR EACH
`CARD
`
`1108
`CARD PERSONALIZATION AGENT
`RECEIVES CARDS AND COLLECTs OTHER N
`DATA AND PLACES DATA ON CARD
`
`ISSUER DEPLOYS
`CARDS TO CUSTOMERS
`
`1110
`/\_/
`
`I
`
`A DECISION IS MADE TO INSTALL
`vENDOR A's APPLICATION ON THE
`CARD
`
`1112
`
`1114
`WHEN A DIALOG BETWEEN THE ISSUER AND THE
`CARD IS INITIATED, A PRE-SIGNED COPY OF THE N
`APPLICATION IS FORWARDED TO THE CARD
`
`FIG. 11A
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 12 0f 15
`
`6,005,942
`
`1118
`CARD DOMAIN INVOKES SECURITY DOMAIN'S
`CRYPTOGRAPHIC SERVICE TO DECRYPT THE N
`APPLICATION AND CHECK SIGNATURE
`
`IS
`SIGNATURE
`VALID?
`
`1122
`
`APPLICATION RECEIVES N
`PERSONALIZATION DATA
`
`I
`
`1126
`APPLICATION INVOKES SECURITY
`DOMAIN'S DECRYPTION SERVICE N
`AND SIGNATURE CHECK
`
`1130
`ACTIVATE THE N
`APPLICATION
`
`FIG. 11B
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 13 0f 15
`
`6,005,942
`
`1200
`ISSUER DECIDES TO INCLUDE A f\/
`SECURITY DOMAIN ON CARD
`
`1201
`I
`TRUSTED PARTY GENERATEs SECRET KEYS N
`AND SENDS THE KEYS TO A CARD
`PERSONALIZATION AGENT IN A SECURE
`MANNER
`1202
`I
`CARD PERSONALIZATION AGENT RECEIVES
`KEYS AND LOADS A SECURE DOMAIN KEY /\/
`ASSOCIATED WITH A SPECIFIC SECURITY
`DOMAIN FOR EACH CARD
`
`1204
`I
`CARD PERSONALIZATION AGENT RECEIVES N
`CARDS AND COLLECTS OTHER DATA AND
`PLACES DATA ON CARD
`
`I
`ISSUER DEPLOYS
`CARDS TO CUSTOMER
`
`1206
`f\/
`
`1208
`I
`A DECISION IS MADE TO INSTALL VENDOR A's N
`APPLICATION ON THE CARD
`
`1210
`I
`VENDOR A OBTAINS SECRET KEYS FOR THE N
`SECURITY DOMAIN FROM THE TRUSTED
`PARTY
`1212
`I
`VENDOR A SENDS THE ISSUER A PRE-SIGNED N
`COPY OF THE APPLICATION
`
`FIG. 12A
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 14 0f 15
`
`6,005,942
`
`WHEN A DIALOG BETWEEN THE ISSUER AND THE
`CARD Is INITIATED, A PRE-SIGNED COPY OF THE
`1214
`APPLICATION IS FORWARDED TO THE CARD (THE
`APPLICATION CAN BE PRE-SIGNED WITH A KEY N
`EQUIVALENT TO THAT WHICH ALREADY EXISTS ON
`THE CARD SO THAT EACH APPLICATION HAS A
`UNIQUE SIGNATURE THAT CAN BE VERIFIED BY
`THE CARD)
`I
`
`1218
`CARD DOMAIN INVOKES SECURITY
`DOMAIN'S CRYPTOGRAPHIC SERVICE /\/
`TO DECRYPT THE APPLICATION AND
`CHECK SIGNATURE
`
`|S
`SIGNATURE
`VALID?
`
`1222
`
`APPLICATION RECEIVES
`PERSONALIZATION DATA
`
`/\/
`
`I
`
`1226
`APPLICATION INVOKES sECuRITY
`DOMAIN'S DECRYPTION SERVICE M
`AND SIGNATURE CHECK
`
`1230
`ACTIvATE THE APPLICATION N
`
`FIG. 12B
`
`SIERRA WIRELESS 1020
`
`

`
`U.S. Patent
`
`Dec. 21, 1999
`
`Sheet 15 0f 15
`
`6,005,942
`
`055cm
`
`SIERRA WIRELESS 1020
`
`

`
`6,005,942
`
`1
`SYSTEM AND METHOD FOR A MULTI
`APPLICATION SMART CARD WHICH CAN
`FACILITATE A POST-ISSUANCE
`DOWNLOAD OF AN APPLICATION ONTO
`THE SMART CARD
`
`CROSS REFERENCE TO RELATED
`APPLICATIONS
`This application claims priority to US. provisional appli
`cation Ser. No. 60/061,763 ?led Oct. 14, 1997, Which is
`herein incorporated by reference. This application further
`claims priority to US. provisional application Ser. No.
`60/041,468 ?led Mar. 24, 1997, Which is also herein incor
`porated by reference.
`This application is related to US. application Ser. No.
`09/046,994, ?led on Mar. 24, 1998 Which is also herein
`incorporated by reference for all purposes.
`
`FIELD OF THE INVENTION
`
`The present invention relates to smart cards. In particular,
`the present invention relates to a system and method for
`providing a multi-application smart card Which can facilitate
`a post-issuance doWnload of an application onto the smart
`card.
`
`10
`
`15
`
`20
`
`25
`
`BACKGROUND OF THE INVENTION
`
`2
`standard routines, and look up tables. Non-volatile memory
`18 (such as EPROM or EEPROM) serves t 0 store infor
`mation that must not be lost When the card is disconnected
`from a poWer source but that must also be alterable to
`accommodate data speci?c to individual cards or any
`changes possible over the card lifetime. This information
`might include a card identi?cation number, a personal
`identi?cation number, authoriZation levels, cash balances,
`credit limits, etc. Cryptographic module 22 is an optional
`hardWare module used for performing a variety of crypto
`graphic algorithms. Card reader interface 24 includes the
`softWare and hardWare necessary for communication With
`the outside World. AWide variety of interfaces are possible.
`By Way of example, interface 24 may provide a contact
`interface, a close-coupled interface, a remote-coupled
`interface, or a variety of other interfaces. With a contact
`interface, signals from the micro-controller are routed to a
`number of metal contacts on the outside of the card Which
`come in physical contact With similar contacts of a card
`reader device.
`Various mechanical and electrical characteristics of smart
`card 5 and aspects of its interaction With a card reading
`device are de?ned by the folloWing speci?cations, all of
`Which are herein incorporated by reference.
`Visa Integrated Circuit Card Speci?cation, (Visa Interna
`tional Service Association 1996).
`EMV Integrated Circuit Card Speci?cation for Payment
`Systems, (Visa International Service Association 1996).
`EMV Integrated Circuit Card Terminal Speci?cation for
`Payment Systems, (Visa International Service Association
`1996).
`EMV Integrated Circuit Card Application Speci?cation
`for Payment Systems, (Visa International Service Associa
`tion 1996).
`International Standard, Identi?cation Cards—Integrated
`Circuit(s) Cards with Contacts, Parts 1—6 (International
`Standards OrganiZation 1987—1995).
`Prior to issuance of a smart card to a card user, the smart
`card is initialiZed such that some data is placed in the card.
`InitialiZation refers to the population of non-volatile
`memory With data that is common to a large number of cards
`While also including a minimal amount of card unique terms
`(eg card serial number and personaliZation keys). For
`example, during initialiZation, the smart card may be loaded
`With at least one application, such as credit or stored cash
`value, a ?le structure initialiZed With default values, and
`some initial cryptographic keys for transport security. Once
`a card is initialiZed, it is typically personaliZed. During
`personaliZation, the smart card is loaded With data Which
`uniquely identi?es the card. For example, the personaliZa
`tion data can include a maximum value of the card, a
`personal identi?cation number (PIN), the currency in Which
`the card is valid, the expiration date of the card, and
`cryptographic keys for the card.
`A limitation of conventional smart cards is that neW
`applications typically can not be added to an issued smart
`card. Smart cards are traditionally issued With one or more
`applications prede?ned and installed during the manufac
`turing process of the card. As a result, With traditional smart
`card implementation, once a card has been issued to a card
`user, the smart card becomes a ?xed application card. If a
`neW application is desired, the smart card is typically
`discarded and a neW smart card, Which includes the neW
`application, is issued.
`It Would be desirable to provide a smart card Which Would
`alloW applications to be loaded after the card is issued.
`
`30
`
`35
`
`40
`
`45
`
`A smart card is typically a credit card-siZed plastic card
`that includes a semiconductor chip capable of holding data
`supporting multiple applications.
`Physically, a smart card often resembles a traditional
`“credit” card having one or more semiconductor devices
`attached to a module embedded in the card, providing
`contacts to the outside World. The card can interface With a
`point-of-sale terminal, an ATM, or a card reader integrated
`into a telephone, a computer, a vending machine, or any
`other appliance.
`A micro-controller semiconductor device embedded in a
`“processor” smart card alloWs the card to undertake a range
`of computational operations, protected storage, encryption
`and decision making. Such a micro-controller typically
`includes a microprocessor, memory, and other functional
`hardWare elements. Various types of cards are described in
`“The Advanced Card Report: Smart Card Primer”, Kenneth
`R. Ayer and Joseph F. Schuler, The Schuler Consultancy,
`1993.
`One example of a smart card implemented as a processor
`card is illustrated in FIG. 1. Of course, a smart card may be
`implemented in many Ways, and need not necessarily
`include a microprocessor or other features. The smart card
`may be programmed With various types of functionality,
`including applications such as stored-value; credit/debit;
`loyalty programs, etc.
`In some embodiments, smart card 5 has an embedded
`micro-controller 10 that includes a microprocessor 12, ran
`dom access memory (RAM) 14, read-only memory (ROM)
`16, non-volatile memory 18, a cryptographic module 22, and
`a card reader interface 24. Other features of the micro
`controller may be present but are not shoWn, such as a clock,
`a random number generator, interrupt control, control logic,
`a charge pump, poWer connections, and interface contacts
`that alloW the card to communicate With the outside World.
`Microprocessor 12 is any suitable central processing unit
`for executing commands and controlling the device. RAM
`65
`14 serves as storage for calculated results and as stack
`memory. ROM 16 stores the operating system, ?xed data,
`
`55
`
`60
`
`SIERRA WIRELESS 1020
`
`

`
`6,005,942
`
`3
`Further, it is desirable to provide a mechanism to manage the
`loading of an application as Well as general management of
`the applications on the smart card. Additionally, it is desir
`able to alloW an application provider to keep cryptographic
`keys con?dential from the issuer of the smart card and to
`securely alloW applications from different entities to coexist
`on a card.
`
`SUMMARY OF THE INVENTION
`
`Embodiments of the present invention teach a system and
`method Which alloW card issuers to add applications during
`the lifetime of the card after the card has already been issued
`(referred to herein as post issuance loading). DoWnloading
`an application after the card has been issued to the card
`holder Will be referred to herein as a “secure install” process.
`The system and method according to embodiments of the
`present invention alloW the post issuance loading of an
`application and/or objects from an application server via a
`card acceptance device and its supporting system infrastruc
`ture delivery mechanism onto a card in a secure and con?
`dential manner.
`An embodiment of the present invention provides a
`system and method for controlling at least one function
`associated With an issued smart card. In a multiapplication
`smart card, a privileged application, herein referred to as a
`card domain, manages multiple functions related to the
`smart card. Examples of these functions include card
`initialiZation, global card data, card life cycle, and secure
`installation of smart card applications.
`A method according to an embodiment of the present
`invention for providing a ?rst application onto an issued
`smart card comprises the steps of forWarding the ?rst
`application to the issued smart card; and loading the ?rst
`application onto the issued smart card, Wherein the loading
`of the ?rst application is managed by a second application.
`In another aspect of the invention, a system according to
`an embodiment of the present invention for controlling at
`least one function associated With an issued smart card is
`disclosed. The system comprises a ?rst application associ
`ated With the issued smart card; and a second application
`associated With the issued smart card, the second application
`being in communication With the ?rst application, Wherein
`the second application manages at least one function asso
`ciated With the ?rst application.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a block diagram of a smart card system suitable
`for implementing the present invention.
`FIG. 2 is an eXample of a block diagram of softWare layers
`Which can be utiliZed in a smart card.
`FIGS. 3A—3B are block diagrams of eXamples of softWare
`layers according to embodiments of the present invention.
`FIG. 4 is a How diagram of an eXample of a method
`according to an embodiment of the present invention for
`installing an application onto an issued smart card utiliZing
`a card domain.
`FIG. 5 is a How diagram of a method according to an
`embodiment of the present invention for providing con?
`dential information to an application in a smart card using
`security domains.
`FIG. 6 is a How diagram of an eXample of a method
`according to an embodiment of the present invention for
`installing an application onto an issued smart card utiliZing
`a card domain.
`FIG. 7A is a How diagram illustrating a sequence of card
`life states.
`
`10
`
`15
`
`25
`
`45
`
`55
`
`65
`
`4
`FIG. 7B is a How diagram illustrating a sequence of card
`life states.
`FIG. 8 is an illustration of an eXample of a card life cycle.
`FIG. 9 is a How diagram of an eXample of a method
`according to an embodiment of the present invention for
`blocking a card utiliZing a card domain.
`FIG. 10 is a block diagram illustrating interactions
`betWeen a card domain and a security domain on a smart
`card according to an embodiment of the present invention.
`FIGS. 11A and 11B are How diagrams of an eXample of
`a method according to an embodiment of the present inven
`tion for loading an application by using a security domain
`after the smart card has issued.
`FIGS. 12A—12B are How diagrams of an eXample of a
`method according to an alternate embodiment of the present
`invention for loading an application using a security domain
`after the smart card has issued.
`FIG. 13 is a block diagram illustrating an eXample of key
`management and key dependencies for post issuance doWn
`load of applications onto the smart card.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENTS
`
`The folloWing description is presented to enable one of
`ordinary skill in the art to make and to use the invention and
`is provided in the conteXt of a patent application and its
`requirements. Various modi?cations to the preferred
`embodiments Will be readily apparent to those skilled in the
`art and the generic principles herein may be applied to other
`embodiments. Thus, the present invention is not intended to
`be limited to the embodiment shoWn but is to be accorded
`the Widest scope consistent With the principles and features
`described herein.
`FIG. 2 is a block diagram of an eXample of softWare layers
`Which can be utiliZed in a smart card. The smart card shoWn
`in FIG. 2 includes an operating system 200, a card applica
`tion programming interface (API) 204, and applications
`206A—206B. Operating system 200 can include functional
`ity to control the cards, memory management, input/output
`(I/O), and cryptographic features. Card API 204 utiliZes the
`instructions from operating system 200 and Writes these
`instructions into blocks Which can be reused for common
`routines in multiple applications. Applications 206A and
`206B can run on the smart card via instructions from API
`204. These applications can include any application Which
`can run on a smart card, such as stored value, credit, debit,
`transit, and loyalty.
`One embodiment of the present invention is based upon
`the Java Card standard. In this case applications are referred
`to as ‘Applets’ and they are Written to link to a Java Card API
`Which is the application programming interface present on
`smart cards built to the Java Card standard.
`Although the conventional softWare system shoWn in
`FIG. 2 alloWs for multiple applications, it does not solve the
`problem of hoW to securely load an application after issu
`ance of the smart card to a user. If an application is to be
`loaded post issuance, a mechanism is needed to manage the
`loading of an application as Well as the general management
`of the applications on the smart card. Additionally, an
`application provider may Wish to keep cryptographic keys
`con?dential from the issuer of the smart card. Accordingly,
`a mechanism is needed to provide for the separation of
`con?dential information betWeen an application provider
`and an issuer of a smart card. Embodiments of the present
`invention address such a need.
`
`SIERRA WIRELESS 1020
`
`

`
`10
`
`15
`
`35
`
`45
`
`5
`FIGS. 3A—3B are block diagrams showing software com
`ponents of a smart card according to embodiments of the
`present invention. The arroWs indicate dependencies
`betWeen components. FIG. 3A shoWs an embodiment of a
`smart card utilizing a card domain, While FIG. 3B shoWs an
`embodiment of a smart card utilizing a security domain, as
`Well as a card domain.
`The example shoWn in FIG. 3A includes an operating
`system 300, a card API 304, applications 305A—305C, a card
`domain 308, and open platform (OP) API 306. The system
`shoWn in FIG. 3 alloWs for a secure and managed post
`issuance doWnload of an application onto a smart card. A
`card domain is a card issuier’s on-card control mechanism
`for a smart card according to the present invention.
`Open platform API 306 classi?es instructions into card
`domain 308 and security domains 310A—310B (shoWn in
`FIG. 3B). Accordingly, OP API 306 facilitates the formation
`of instructions into sets Which can be identi?ed as being
`included as part of card domain 308 and security domains
`310A—310B.
`Applications 305A—305C can include any application
`Which can be supported by a smart card. Examples of these
`applications include credit, debit, stored value, transit, and
`loyalty. Applications 305A—305C are shoWn to include
`command interfaces, such as APDU interfaces 354A—354C
`Which facilitate communication With the external environ
`ment. APDU stands for “Application Protocol Data Unit”
`and is a standard communication messaging protocol
`betWeen a card acceptance device and a smart card. A
`command is a message sent by the terminal to the smart card
`that initiates an action and solicits a response from the smart
`card.
`Applications 305A—305C can run on the smart card via
`instructions from card API 304. Card API 304 is imple
`mented using the instructions from the card operating sys
`tem and Writes these instructions into blocks Which can be
`reused for common routines for multiple applications. Those
`skilled in the art Will recogniZe that a translation layer or
`interpreter may reside betWeen API 304 and operating
`system 300. An interpreter interprets the diverse hardWare
`chip instructions from vendor speci?c operating system 300
`into a form Which can be readily utiliZed by card API 304.
`Card domain 308 can be a “privileged” application Which
`represents the interests of the smart card issuer. As a
`“privileged” application, card domain 308 may be con?g
`ured to perform multiple functions to manage various
`aspects of the smart card. For instance, card domain 308 can
`perform functions such as installing an application on the
`smart card, installing security domains 310A—310B (shoWn
`on FIG. 3B), personaliZation and reading of card global data,
`managing card life cycle states (including card blocking),
`performing auditing of a blocked card, maintaining a map
`ping of card applications 305A—305C to security domains
`310A—310B, and performing security domain functions for
`applications 305A—305C Which are not associated With a
`security domain 310.
`Card domain 308 is shoWn to include an API 350 and a
`command interface, such as Application Protocol Data Unit
`(APDU) interface 352. APDU interface 352 facilitates inter
`facing With the external environment in compliance With, e.,
`International Standards OrganiZation (ISO) Standard 7816
`4, entitled “Identi?cation Cards—Integrated circuit(s) cards
`With contacts—Part 4, Inter-industry commands for
`interchange,” Which is herein incorporated by reference.
`For example, APDU interface 352 can be used during post
`issuance installation of an application or during loading of
`
`55
`
`65
`
`6,005,942
`
`6
`card global data. An application load and install option is
`performed via a set of appropriate APDU commands
`received by card domain 308. API 350 facilitates interfacing
`With the internal smart card environment. For example, API
`350 can be used if card domain 308 is being utiliZed as a
`default in place of a security domain 310, or if an application
`requires information such as card global data, key derivation
`data, or information regarding card life cycle. In other
`Words, Card Domain 308 via API 350 also processes,
`APDUs for functions such as: reading ICC serial number,
`managing the card life cycle state including providing a card
`blocking service (the issuer is responsible for determining
`Which applets, if any, can use the card blocking service),
`performing auditing for the card (When the card is blocked
`these are the only APDUs that Will be handled), maintaining
`a mapping of security domains to applets, and acting as the
`security domain for the issuer’s applets.
`Memory allocations have been performed by the time an
`application is in an install state. An application is also
`personaliZed after loading and installing. A personaliZed
`application includes card holder speci?c data and other
`required data Which all