United States Patent r191
`Jones et al.
`
`I lllll llllllll Ill lllll lllll lllll lllll lllll lllll lllll lllll llllll Ill lllll llll
`US005623637 A
`5,623,637
`[11 1 Patent Number:
`[45] Date of Patent:
`Apr. 22, 1997
`
`[54) ENCRYPTED DATA STORAGE CARD
`INCLUDING SMARTCARD INTEGRATED
`CIRCUIT FOR STORING AN ACCESS
`PASSWORD AND ENCRYPTION KEYS
`
`[75]
`
`Inventors: Michael F. Jones, Nashua, N.H.;
`Arthur Zachai, Swampscott, Mass.
`
`(73] Assignee: Telequip Corporation, Hollis, N.H.
`
`(21] Appl. No.: 651,205
`
`[22) Filed:
`
`May 17, 1996
`
`Related U.S. Application Data
`
`[63) Continuation of Ser. No. 161,854, Dec. 6, 1993, abandoned.
`Int. Cl.6
`...................... ................................ G06F 12/14
`(51)
`[52] U.S. Cl . .......................... 395/491; 3951430; 3951442;
`395/833; 395/188.01; 380/23; 380125
`[58] Field of Search .................................... 380/23, 25, 4;
`395/188.01, 430, 442, 490, 491
`
`[56]
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,204,663
`5,293,424
`5,307,411
`5,341,428
`5,347,580
`5,379,344
`5,428,685
`5,448,045
`
`411993 Lee ..................................... 340/825.34
`311994 Holtey et al ............................. 380123
`4/1994 Anvret el al .............................. 380/25
`811994 Schatz ....................................... 380123
`9/1994 Molva et al . ............................. 380/25
`111995 Larsson et al . ........................... 380/23
`6/1995 Kadooka et al .......................... 380125
`911995 Clark ......................................... 380125
`OTHER PUBLICATIONS
`
`"Applied Cryptography" Bruce Schneier, John Wiley &
`Sons, Inc., 1994, pp. 219- 243.
`Primary Examiner- Reba I. Elmore
`A ttorney. Agent, or Finn-Banner & Witcoff, Ltd.
`
`(57)
`
`ABSTRACT
`
`A detachable PCMCIA memory card incorporating a smart(cid:173)
`card integrated circuit for storing a password value and logic
`circuitry for preventing access to information stored on the
`memory card unless the user of the host computer to which
`the memory card is connected can supply a password
`matching the stored password. The smartcard integrated
`circuit may also be used to store public and private key
`values used to encrypt and decrypt data stored on the card or
`elsewhere on the host computer or exchanged with a remote
`computer.
`
`5,068,894 11/1991 Hoppe ....................................... 380/23
`5,124,117
`6/1992 Tatebayashi et al ...................... 380/21
`
`3 Claims, 2 Drawing Sheets
`
`110
`
`Remote
`Co~uter
`
`\.. 120
`
`100
`~
`"' .,,
`!!:!
`'O
`;j!
`161
`
`Ill
`
`~
`::J a.
`E
`0
`Cl
`n;
`
`"' 0 !5 a..
`
`'§
`:c
`
`190
`
`Attribute
`Memory
`
`Common
`Memory
`Array
`
`150
`
`!
`1
`i
`! 179
`i
`
`173
`
`Data Bus
`Buffers
`
`185
`
`255
`···-·-···-·-.. ~:···;
`i ............. ·-···-·-··- ·
`·, .. _ .. ___ 290
`smart card 1.c.
`·-----·--·-·
`: EEPROM !
`·-----------· \
`.. ----------·
`: PROCESSORI
`'-~-----------·
`
`J60
`... __ _
`
`- 257
`
`IPR2017-00430
`UNIFIED EX1003
`
`

`
`1~~r-=··-=····=·-·=·-.. =-··=-··=-··=-··-=··-=~-=··-=··----~~~~~~~~~
`~
`;
`163
`~ ··:.+-.... : _. Address Bus L-<
`16~
`i
`Buffers
`195~
`~
`~197~
`~
`t-:___,j~.....;...! _)~--1 o )
`!
`161
`.... Address
`i.--1 2?1 198!--· - - - 1
`Decoder
`!
`220 ___ -1- ,_ L7 U !
`!
`Attribute
`Memory
`Card Lock
`....
`210
`:
`-
`l
`-
`! i
`175
`.. ~,...J--"l'--=.i --"'"'-'-- ----·L-...1
`j
`Logic
`-
`r
`173
`1
`r-,.-i----
`I
`! r----'--
`~~8
`!
`177
`i
`_ Com
`~ •:M-..,i ...J D~~=r~s Ha--'wlleetyptH Gate~
`\__ Enayl _ 219
`!
`l 179)
`- Mem:n
`! ~--_J ~==~_L.:..:.::J_
`i
`....
`Array
`!--.....,..---1
`~ UART
`1
`i
`Clock 1r---__.•~
`i
`!
`i~·-rt!.: .. : .. : ... : .. : ... : .. =·-=··-=··=-·=·-=··-=··t. .. :-.:·-=··-= .. t.~2~s~s ___ :~i~1~as~;')J.__~--4LJ
`
`110
`
`Remote
`Computer
`
`$
`~ c..
`E
`0
`(.)
`(ij
`c:
`
`~ -~ ::::c
`
`"'
`
`171
`1sr
`
`Fig. 1
`
`260
`
`I
`"-··- -
`
`·-··-.. -··-··-··.,··-·'
`·,··-·-·-· 290
`rS~m~. a-rt-C-ar..1.d-IC-
`r·EEPRoM-1 . LJso
`-.i PROCESSOR:
`- 257
`--=------------·
`
`'-••••••-•••J '\
`r••••••••••••• \
`
`I
`
`••-• • •••••••••••••••••
`
`·-·
`
`290
`
`j\ 230
`
`(
`
`150
`
`19
`
`..
`
`

`
`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 2 of 2
`
`5,623,637
`
`,-------------------------------------~
`~------
`~ ........ .,__ __ ....;..r-_..;;345..;.;..._...i Gate 14-p..;:: ~!
`'
`I
`
`Host
`Computer
`
`313
`
`Card Lock
`Logic Circuit
`
`307
`
`I
`I
`I
`
`340:
`
`I
`I
`I
`I
`I
`I
`:
`I
`
`Q)
`O>
`....
`CO
`.9
`(/)
`jg
`co
`0
`
`----------- --------- --------~------
`
`~----·
`
`Secure
`Memory
`Card
`
`110
`
`100
`
`Fig. 2
`
`Remote
`Computer
`
`450
`
`Host
`Computer
`
`410
`'--
`
`Secure Card
`Lock Logic
`
`r - 415
`
`400
`
`Card
`Data
`Sta age
`
`Fig. 3
`
`

`
`5,623,637
`
`1
`ENCRYPTED DATA STORAGE CARD
`INCLUDING SMARTCARD INTEGRATED
`CIRCUIT FOR STORING AN ACCESS
`PASSWORD AND ENCRYPTION KEYS
`
`This application is a continuation of application Ser. No.
`08/161,854 filed Dec. 6, 1993, abandoned.
`
`FIELD OF THE INVENTION
`
`This invention relates generally to methods and apparatus
`for storing, processing and communicating private data.
`
`BACKGROUND OF THE INVENTION
`
`5
`
`10
`
`2
`It is a further object of the present invention to provide a
`secure data storage device which may, at the option of the
`user, selectively limit access to all or part of the stored data
`using one or more passwords.
`It is a related object of the invention to securely store
`access passwords, encryption or decryption keys, or digital
`signatures, in a tamper-proof substorage unit interconnected
`with a data access mechanism which are integral parts of a
`detachable computer memory card.
`In a principle aspect, the present invention takes the form
`of a removable memory card, preferably implemented in
`conformity with the PCMCIA (Personal Memory Card
`Industry Association) interface standard, which provides the
`host computer to which it is connected with additional
`15 high-speed storage, the memory card consisting of a data
`storage unit, storage-access locking circuitry, and a tamper(cid:173)
`proof key information substorage unit. In accordance with
`the invention, the locking circuitry is adapted to prevent
`access to the data stored on the memory card unless the
`would-be user first presents identifying information which is
`20 validated by the locking circuitry with reference to one or
`more key values stored in the key information substorage
`unit.
`The removable memory card contemplated by the present
`invention allows data stored on the card to be made imme-
`25 diately available to the connected host computer upon
`proper presentation of a password known only to an autho(cid:173)
`rized user. Once the password has been validated, the stored
`data may then be made available to the host processor in
`decrypted form.
`In accordance with the invention, the key information
`substorage unit advantageously takes the form of a "smart(cid:173)
`card" integrated circuit capable of storing secret key values
`which may be used to provide password-protected access to
`the data stored on the memory card, or optionally to provide
`secure storage for the encryption or decryption keys, or
`digital signatures, needed to allow the host computer to
`access and/or operate a secure information storage or tele(cid:173)
`communications system. In accordance with the invention,
`access to data, passwords, digital signatures, or other key
`values stored on the memory card is limited to those who (1)
`have physical possession of the memory card and (2)
`knowledge of the memory card access password stored in
`the card's secure substorage unit.
`The smartcard integrated circuit advantageously stores
`such passwords, public key and secret key values, and/or
`digital signatures in an Electrically Erasable Programmable
`Read Only Memory (EEPROM), and further includes its
`own microprocessor containing a stored program to allow
`reading and writing of the EEPROM through a serial I/O
`interface. The stored program within the smartcard IC
`allows an access password to be programmed into the
`EEPROM from an external source via the serial interface,
`but thereafter prevents that password value from being
`accessed. For enhanced security, the smartcard integrated
`55 circuit includes means for monitoring voltages and frequen(cid:173)
`cies to detect abnormal conditions which may indicate an
`attempt to tamper with the key storage unit to gain unau(cid:173)
`thorized access to the stored secret key information.
`These and other objects, features and advantages of the
`60 present invention will become more apparent by considering
`the following detailed description of a preferred embodi(cid:173)
`ment of the invention, during which frequent reference will
`be made to the attached drawings.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Computers are widely used to store and process informa(cid:173)
`tion which is considered private. For most businesses, the
`confidentiality of computer data is maintained using the
`practice followed for conventional business data: restricting
`access to office space where sensitive records are kept,
`whether those records take the form of documents kept in
`file cabinets or machine-readable data stored in an computer.
`As the capabilities and usefulness of laptop and notebook
`computers have increased, functions formerly performed
`within the security of the office have moved to the field.
`Sales personnel and executives often travel with computers
`loaded with confidential data on pricing, customers, and
`strategic planning. Although available encryption and
`decryption programs can be used to protect such data when
`it is not in use, these programs are often inconvenient to use 30
`or provide poor security as a result of inadequate key
`management.
`Encryption methods typically rely on "secret ·keys"
`known only to authorized users of the protected data. In the
`widely used Data Encryption Standard ("DES") developed 35
`and promulgated by the National Bureau of Standards, data
`is encyphered in 64-bit blocks using a single 56-bit key, as
`described in National Bureau of Standards' Federal Infor(cid:173)
`mation Processing Standards Publication 46, "Data Encryp(cid:173)
`tion Standard," National Bureau of Standards (1977). 40
`Encryption techniques using two keys, one for encypting the
`data and a different key for decryption, are called "public
`key" systems because the encryption key can be made public
`so that anyone can use the public key to encrypt sensitive
`data, but only a recipient with the secret key can decrypt it. 45
`One widely used and highly effective public key algorithm
`known as the "RSA" system, named after the inventors
`Rivest, Shamer and Adelman, is described in Rivest et al.
`U.S. Pat. No. 4,405,829.
`The security of both single-key and public-key encryption
`systems depends on user's ability to keep the key or keys
`secret. Although both the DES and RSA encryption algo(cid:173)
`rithms themselves can be depended upon to provide
`adequate security, neither system can safeguard data if the
`keys can be learned. The management of the keys them(cid:173)
`selves accordingly presents the most difficult component of
`good data security system.
`
`50
`
`SUMMARY OF THE INVENTION
`
`It is an object of the invention to securely store private
`information in a compact, easily transportable storage
`device which may be detached from the computer with
`which it is used.
`It is still another object of the invention to protect such 65
`electronically stored data against unauthorized access when
`the detachable storage device is lost or stolen.
`
`FIG. 1 of the drawings is a block diagram of a secure
`memory card which embodies the principles of the inven-
`
`

`
`5,623,637
`
`3
`tion, the memory card being shown interconnected with a
`host computer which is in tum connected to other computers
`by telecommunications links.
`FIG. 2 is a data flow diagram depicting a preferred
`mechanism for providing password protection for informa-
`tion stored within a memory card of type shown in FIG. 1.
`FIG. 3 is a data flow diagram illustrating the use of a
`secure data card as show in FIG. 1 to protect the privacy of
`information being sent between a host computer and a
`remote computer.
`
`DESCRIPTION OF THE PREFERRED
`EMBODIMENT
`
`HARDWARE
`As illustrated in FIG. 1 of the drawings, the preferred
`embodiment of the invention takes the form of a personal
`computer memory card indicated generally at 100. The
`memory card 100 is interconnected with a host computer
`110 by means of a hardware and software interface which
`conforms to the Personal Computer Memory Card Interna(cid:173)
`tional Association (PCMCIA) standard which has been
`widely accepted for use in laptop and notebook computers.
`PCMCIA cards are commonly used to provide additional
`high-speed memory capacity to the connected host com(cid:173)
`puter, or to implement fax and data modems, network access
`devices, and hard-disk mass storage devices. Type 1 PCM(cid:173)
`CIA cards have a form factor typically used to provide
`additional memory for data and application programs, while
`the thicker Type 2 cards are used to add telecommunications
`features and Type 3 cards are used for high-capacity hard
`disk drives that store up to 100 megabytes of data.
`The removable character of PCM CIA storage devices can
`provide better data security than storage built into the
`computer itself, because the card may be detached from the
`computer and placed in a secure area when not in use.
`However, the cards themselves remain subject to possible
`theft or misuse. The embodiment of the invention shown in
`FIG. 1 provides significant additional security for data and
`programs stored in a detachable memory card by incorpo(cid:173)
`rating an access-locking mechanism for preventing access to
`the stored data by those who are unable to present an
`authorizing password.
`The secure memory card 100 contemplated the invention
`is adapted to be connected via its PCMCIA interface to the
`host computer 110 which may in tum be connected to other
`computers by modem, or by a network, as illustrated by the
`connection of remote computer 120 via the telecommuni(cid:173)
`cations link 130 seen in FIG. 1.
`The secure memory card 100 stores data in a common
`memory array 150, preferably implemented with non-vola(cid:173)
`tile flash memory integrated circuits, enabling the common
`memory array to store 10 megabytes of data in an area small
`enough to be included on a credit-card sized Type I PCM(cid:173)
`CIA card. The data is stored in random access locations
`specified by address values supplied via the PCMCIA's
`standard 26-bit address bus terminals 161. The address
`terminals 161 provide address signals to an input address
`bus buffer circuit 163 which drives an internal address bus
`165. Data transfers between the common memory array 150
`and the host computer 110 are accomplished via the inter(cid:173)
`face data terminals 171, a data bus buffer 173, an internal
`data bus 175, a internal encryption/decryption unit 177, a
`gate 178 and an internal data bus 179. Control signals are
`exchanged between the common memory array 150 and the
`host computer via the PCMCIA interface control terminals
`181 and an internal control bus 185.
`
`5
`
`4
`The address terminals 161, data terminals 171 and control
`terminals 181 seen in FIG. 1 are a simplified representation
`of the 68 pin PCMCIA standard interface which includes
`provision for 26 parallel address conductors (AO-A25), 16
`parallel data conductors (DO-DIS) and a remaining set of
`power and control conductors including power and ground
`connections and a collection of memory control signal
`connections (enable, select, wait, write, detect, etc.). The
`PCMCIA standard achieves interchangeability of cards of
`10 different functions by establishing standards for the physical
`card (dimensions and mechanical tolerances for the card and
`connectors), the card interface (pinout and signal defini(cid:173)
`tions), and card software (which specifies the organization of
`data on the card and the record formats and protocols by
`15 which configuration information and data is exchanged with
`the host computer). Complete information which defines the
`PCMCIA standard is published by and available from the
`Personal Computer Memory Card International Association,
`1030G East Duane Avenue, Sunnyvale, Calif. 94086. The
`20 present embodiment of invention conforms to the PC Card
`Standard Specification, Release 2.01, published in Novem(cid:173)
`ber, 1992.
`To implement the PCM CIA interface standard, the secure
`memory card includes a non-volatile attribute memory 190
`25 which stores information enabling the host computer to
`automatically identify the particular PCMCIA card as soon
`as the card and host are connected, and to automatically
`establish the appropriate hardware/software interface using
`suitable driver software which executes on the host com-
`30 puter 110.
`The attribute memory 190 shares the internal address bus
`165, data bus 175 and control bus 185 with the common
`memory array 150. An address decoder 195 monitors the
`address bus 165 and provides selection signals to the
`35 attribute memory 190 via a attribute memory enable line 197
`when addresses within the address space of attribute
`memory 190 appear on address bus 165 concurrently with
`the activation of the Attribute Memory Select signal terminal
`-REG (not separately shown in FIG. 1) in the PCMCIA
`40 connector interface.
`Similarly, the address decoder 195 selects the common
`memory array 150 whenever the address on address bus 165
`is within the address space of array 150 by energizing an
`common memory enable line 210 which supplies an enable
`45 signal to the gate 178 in the data pathway to the common
`memory array 150.
`Gate 178 prevents the common memory array 150 from
`exchanging data with the host 150 via data bus 179 unless
`an authorization signal is supplied to the gate 178 via a
`50 control line 219 from a card lock logic circuit 220. The card
`lock logic circuit 220 is connected to address decoder 195
`via the lock enable line 221, permitting card logic 220 to
`identify addresses which designate memory locations in the
`common memory array 150 to which access may be denied
`55 under appropriate circumstances. The card lock logic circuit
`220 is connected to the internal data bus 175 which provides
`a pathway for downloading memory access control com(cid:173)
`mands from the host computer 110.
`A smartcard input/output enable line 198 transmits an
`60 enable signal from the address decoder 195 to a Universal
`Asynchronous Receiver Transmitter (UART) 230 when
`information is to be transferred between the host computer
`110 and a smartcard integrated circuit 250. The UART 230
`is connected to the internal data bus 175 and operates to
`translate data received in bit-parallel form from databus 175
`into bit serial form for transfer to the smartcard integrated
`circuit "I.C." via its serial port 255.
`
`65
`
`

`
`5,623,637
`
`5
`The smartcard LC. includes its own processor 260 and
`non-volatile EEPROM memory circuits 257 which operate
`as a secret key information substorage system. The proces(cid:173)
`sor 260 within the smartcard LC. 250 is programmed to store
`secret key codes within the EEPROM 257, but to thereafter 5
`prohibit the stored secret keys from being accessed by any
`external interrogation. The smartcard LC. may be imple(cid:173)
`mented with a number of available devices, including the
`ST16F48 CMSO MCU-based Safeguarded Smartcard IC,
`with 8k EEPROM, available for SGS-Thomson Microelec- 10
`tronics, a member of the SGS-Thomson STl 6XYZ family of
`devices, as specified in the SGS-Thomson Data Book (April,
`1993). The ST16F48 includes an 8-bit processor, 288 bytes
`of RAM scratchpad storage, an 8k byte EEPROM data
`memory which forms the secure substorage unit, and a 16k 15
`byte program storage read-only memory for storing process(cid:173)
`ing routines, including routines for processing and validat(cid:173)
`ing key values supplied to and read from the smarteard LC.
`via the UART 230.
`Data transfers and operations, both within the memory
`card 100 and between the card 100 and the host computer
`110, are controlled by the card lock logic circuit 220. When
`the lock circuit enable line 221 is activated in response to the
`detection of an access control command address value by
`address decoder 195, the card Jock logic circuit 220 responds
`to commands and data supplied to the internal data bus 175
`from the host computer 110 via the data conductors 171 and
`the data bus buffers 173. The card Jock logic circuit 220, the
`UART 230 and the smartcard I.C. 260 operate under the
`control of a common timing signal provided by an on-card
`clock generator circuit seen at 290 in FIG. 1.
`The address space provided by the common memory
`array 150 is preferably partitioned into independently
`accessed regions. Each partition is specified in a Card
`Information Structure or "CIS" (to be described) which is 35
`stored in the attribute memory 190, and preferably corre(cid:173)
`sponds to the memory space provided by one or more
`integrated circuits making up the array 150 such that a
`particular partition may be selected by the address decoder
`195 which activates particular chip enable Jines with the 40
`common memory enable output 210.
`The access password itself is stored in the EEPROM 257
`within the smartcard LC. 250, the password storage opera(cid:173)
`tion being accomplished within the memory card 100 when(cid:173)
`ever a card lock logic activation address is supplied via 45
`address terminals 161 and the address buffer 163 to the
`address decoder 195 which in tum activates the card logic
`enable line 221. A password loading command applied via
`the data interface terminals 171 from the host computer is
`recognized by card lock logic 220 which channels the 50
`subsequent data sequence (the password itself) via the
`UART 230 and the serial port 255 of the smartcard I.C. 250
`for storage at a predetermined location in the EEPROM 257.
`Once a password has been stored for a particular partition,
`the card Jock logic circuit 220 has exclusive control over 55
`access to that partition. Any attempt to access that partition
`(as detected by the address decoder 195) will be rejected,
`notifying the device driver software that a valid password
`must be provided. The driver software then prompts the user
`with a request for a valid password which, when entered, is 60
`sent via the data buffer 173 for validation. The card lock
`logic 220 routes the offered password to the smartcard LC.
`with a request that it be compared with the password stored
`in the EEPROM 257. If the passwords match, the smartcard
`LC. so notifies the card Jock logic 220 which in tum notifies
`the device driver software executing in the host that the
`partition has been successfully unlocked. Thereafter, when
`
`6
`addresses within the unlocked partition are detected by the
`address decoder 195, the card lock logic will activate the
`gate 178 to permit data transfers between that partition and
`the data terminals 171.
`To provide additional security, the data transferred over
`the 16-bit data bus between the data bus buffer 173 and the
`gate 178 is processed by the encryption-decryption unit 177
`which preferrably emplements a symmetrical key algorithm,
`such as DES, based on a key value which stored in and
`fetched from the EEPROM 275 in the smartcard LC. 250.
`The unit 250 encrypts data from the data bus buffer 173 prior
`to storing the data in the common memory array 150, and
`decrypts the data back into its original form when it is
`retrieved from the common memory array 150. This addi(cid:173)
`tional encryption mechanism protects data stored in the
`common memory array even if that data is successfully read
`from the flash memory chips making up the array 150. As
`discussed in more detail later, the secure key storage mecha(cid:173)
`nism provided by the memory card may also be used to
`20 protect sensitive data being manipulated by mechanisms
`external to the memory card 100.
`All of the operative circuitry making up the memory card
`100, with the exception of the attribute memory 190, the
`common memory array 150, and the smartcard I.C. 250, is
`25 preferrably implemented by means of a single, monolithic
`application specific integrated circuit (ASIC) as indicated
`within the dashed line rectangle 290 in FIG. 1. By integrat(cid:173)
`ing this circuitry in a monolithic integrated circuit, security
`against invasive attempts to ascertain built-in unlock codes
`(to be discussed) or to bypass or disable security functions,
`is substantially improved.
`SOFTWARE
`As previously noted, the attribute memory 190 stores
`information which specifies the nature of the memory card
`100 and the format used for the information stored on the
`card. The attribute memory 190 holds a Card Information
`Structure ("CIS") which is organized in a "Metaformat"
`defined in Section 5 of the PCMCIA PC (Personal Com(cid:173)
`puter) Card Standard, Release 2.01, for handling numerous
`different data recording formats. The CIS is organized as
`hierarchy oflayers and takes the form of a chain (linked-list)
`of data blocks called "tuples" which begin at address 0 of the
`attribute memory 190.
`The PCMCIA standard also establishes standards for the
`operation of host processor operating system software which
`can be used to simplify the design of specific device drivers
`which provide access to the memory card. The standard
`"Socket Services" and "Card Services" card interface soft(cid:173)
`ware, when implemented on a given host computer, provides
`a Card Services interface with "Client Device Drivers,"
`significantly simplifying the design of device drivers by
`providing much of the functionality required for communi(cid:173)
`caton with socketed PCMCIA cards. For host computers
`which are not provided with standard PCMCIA Card Ser(cid:173)
`vices and Socket Services functions, the device driver
`directly interrogates the CIS structures in the attribute
`memory using standard link-list processing techniques, and
`provide direct software support for the bulk memory func(cid:173)
`tions which would otherwise be supported by the PCMCIA
`Card Services interface.
`Whether utilizing available Card Services routines or
`directly addressing and manipulating the memory card hard(cid:173)
`ware interface, the device drive itself may be specified in the
`DOS CONFIG.SYS file and loaded when the host processor
`is initialized, or may take the form of an independently
`loadable TSR program. The discussion which follows
`describes the operation of a Client Device Driver adapted to
`
`30
`
`65
`
`

`
`5,623,637
`
`20
`
`35
`
`7
`operate in conjunction with PCMCIA standard Card Service
`functions and notification mechanisms.
`The programming interface to the PCM CIA Card Services
`software is defined in Section 3 of the PCMCIA Standard
`(Release 2.01) which specifies a variety of services which 5
`are available to Client Device Drivers, as well as callback
`mechanisms for notifying Client Device Drivers of status
`changes. In addition to conventional memory operations
`provided by Bulk Memory Service functions, the Card
`Services software also provides Client Utility functions 10
`which allow client device drivers to access and manipulate
`the CIS stored in the memory card's attribute memory 190.
`Card management routines, either forming a part of the
`Client Device Driver or part of a special purpose application
`program for configuring the memory card according to the 15
`users needs, are executed on the host computer. These card
`management routines in tum utilize the functions provided
`by the PCMCIA Card Services software to implement the
`following two special operations which not required for
`conventional PCMCIA memory cards:
`PARTITION LOCK.
`This operation accepts two parameters from the user: (1)
`a password value, typically taking the form of ASCIIZ
`(null-terminated string) of keyboarded characters entered by
`a user in response to a prompt, and (2) a partition identifier
`which specifies a portion of the address space provided by
`the common memory array 150. At the same time, the fact
`that a given partition has been locked, together with an
`identification of the EEPROM memory location of the
`password (but not its value) are recorded in the CIS entry for
`that partition.
`The memory card 100 is intitialized as a standard memory
`card before being first delivered to the end user, and provides
`one or more freely accessible storage partitions prior to
`receiving the first PARTITION LOCK command.
`PARTITION UNLOCK.
`The storage of a password associated with a particular
`password has the effect of locking that password against
`subsequent attempts to use the data or programs stored
`within that partition without first supplying a valid pass(cid:173)
`word.
`Whenever a PCMCIA card is newly inserted into the
`socket of a running host computer, the Client Device Driver
`is notified by the Card Services software (via its CARD_
`INSERTION callback function), so that it can process the 45
`card's CIS entries to identify each partition that may be
`password-protected. Similarly, when the host computer is
`first powered up and the Client Device Driver is initialized,
`the Client Device Driver calls Card Services functions to
`process the cards CIS entries to identify each partition that 50
`may be locked.
`The device driver software then attempts to access each
`identified partition. If the partition is locked (as determined
`by the mechanism discussed above), the card lock logic 220
`notifies the device driver of the locked condition, allowing 55
`the device driver to request a valid password from the user,
`either at the time the host computer is being initialized with
`an already socketed memory card, or at the time a memory
`card is first inserted into an already running host computer.
`Other Operations.
`To support encryption and decryption systems, systems
`employing digital signatures, and secure telecommunica(cid:173)
`tions access protocols, examples of which will be discussed
`below, the card lock logic unit 220 and UART 230 also
`provide the capability for storing additional passwords, key 65
`values, access codes and the like in the secure substorage
`system provided by the smartcard LC. 250, or alternatively
`
`8
`(but less securely) in the common memory array 150 or in
`the attribute memory 190.
`PASSWORD AND KEY MANAGEMENT
`A preferred mechanism for validating the user's password
`needed to unlock a particular memory partition is illustrated
`in FIG. 2 of the drawings. First, as previously described, the
`user who desires to protect information stored on the card
`supplies a secret password which is written into the smart(cid:173)
`card LC. memory as indicated at 301. When an attempt is
`made to access data protected by the secret password 301,
`the ASIC 290 implementing the card lock logic unit 220
`generates a random number 303 which is supplied to the host
`computer 110 as indicated at 307. The host computer 110
`then prompts the user to enter a password at 309. The offered
`password 309 is combined with the random number 303 at
`311 and the result is returned at 313 to the ASIC 290. The
`returned value is then combined at 317 with a fixed unlock
`code 319 (built into the ASIC 290) to produce a final value
`which is applied to a first input 321 of a comparator 320.
`At the same time, the random number 303 which was sent
`to the host is also sent to the smartcard LC. 250 whose
`processor 260 is programmed to combine the random num(cid:173)
`ber 303 at 325 with the previously stored secret password
`301 to form a result value at 327. The result value 327 is
`25 combined at 328 with a copy 330 of the unlock code 319,
`and the resulting final value is applied to the second input
`322 of the comparator 320. If the final value at input 321
`which is created by the password offered by the user matches
`the final value at input 322 created by the password stored
`30 within the smartcard LC. 250, the partition associated with
`the stored password will be unlocked by sending an activa(cid:173)
`tion signal 335 to a data ftow gate 340 connected in the path
`of a data bus 345 connecting the host computer 350 and the
`memory card's common memory array 360.
`It is important to observe that the data stored in a
`protected partition within the memory card 100 is available
`only to those who possess both the card and the password.
`Neither possession of the card without knowledge of the
`password, nor knowledge of the password without physical
`40 possession of the card, will be sufficient to obtain access to
`the data.
`The combined requirement that the bearer of the card also
`know the passw