as) United States
`a2) Patent Application Publication 0) Pub. No.: US 2005/0184163 Al
`(43) Pub. Date: Aug. 25, 2005
`
`de Jong
`
`US 20050184163A1
`
`(54)
`
`METHOD AND APPARATUS FOR
`PROCESSING AN APPLICATION
`IDENTIFIER FROM A SMART CARD
`
`(75)
`
`Inventor: Eduard K. de Jong, Redland (NL)
`
`Correspondence Address:
`GUNNISON MCKAY & HODGSON, LLP
`1900 GARDEN ROAD
`SUITE 220
`
`MONTEREY, CA 93940 (US)
`
`(73)
`
`Assignee: Sun Microsystems,
`Corporation
`
`Inc., a Delaware
`
`(21)
`
`Appl. No.:
`
`10/786,312
`
`(22)
`
`Filed:
`
`Feb. 24, 2004
`
`Publication Classification
`
`(SL) Ute C07 cececccsssssssssesssessesnstnnsesnee G06K 19/06
`(52) US. Ch.
`ceeesecssssssssstsnsistsstnstvasnetnstnatsesse 235/492
`
`(57)
`
`ABSTRACT
`
`An application identifier (AID) for an application installed
`on a smart card comprises a registered application provider
`identifier (RID). The AID maybe processed by determining
`the RID for an application from the AID of the application,
`generating an identifier for a network resource from the RID,
`transmitting a request to the network resource using the
`identifier, and receiving a response to the request. The
`response comprises material for use in handling the appli-
`cation on the smart card.
`
`TERMINAL. 1
`
`CARD 102
`
`Detect Card Insert
`
`Power Up
`
`Card is Activated
`172
`
`162
` Activate Card
`
`Application 166
`
`164
`
`Request
`
`Receive Request
`174
`
`Application 176
`
`Identify Matching
`
`Receive matching
`
`AID 180
`
`AID 177
`
` Launch matching
`AID 179
`
`Return matching
`
`SAMSUNG 1004
`
`1
`
`SAMSUNG 1004
`
`

`

`Patent Application Publication Aug. 25,2005 Sheet 1 of 29
`
`US 2005/0184163 Al
`
`alyjuogeaddy
`
`
`
`Le,sojesadg
`
`oIy9eg
`
`och
`
`jeujwua
`
`LLL40yes0dQ
`
`
`
`NVAWNV198U19}U]
`
`OzL
`
`*ObL
`
`jeujyuuay
`
`|sunbi4
`
`80+Ndav
`
`
`
`LOL49pjoyPaeD
`
`
`
`puegyeUls
`
`ZO}
`
`2
`
`
`
`
`
`

`

`Patent Application Publication Aug. 25,2005 Sheet 2 of 29
`
`US 2005/0184163 Al
`
`AID Object 161
`
`
`
`[Byte Array] |
`
`Figure 1A
`
`TERMINAL11
`
`.
`
`CARD 102
`
` Detect Card Insert
`
`
`
`
`162
`
`
`
`
`
`
`
` Receive Request
`
`
` Identify Matching
`
` Launch matching
`AID 177 Return matching Receive matching
`
`Activate Card
`164
`
`
`
`Power Up
`
`Request
`Application 166 |
`
`Cardis Activated
`172.
`
`
`
`Application 176
`
`.
`
`AID 180
`
`Figure 1B
`
`3
`
`

`

`Patent Application Publication Aug. 25,2005 Sheet 3 of 29
`
`US 2005/0184163 Al
`
`Activate Card Powertp ‘Card is Activated
`
`ower
`
`\’P
`
`TERMINAL 110
`
`Detect Card Insert
`162
`
`164
`
`Request
`Application 166
`
`.
`
`Receive matching
`AiD(s) 180
`
`Select Applet to
`Launch 182
`
`174va!
`
`172
`
`Receive Request
`
`Identify Matching.
`Application(s) 176
`
`Return matching
`AID(s) 179
`
`Launch selected
`Applet 190
`
`Figure 1C
`
`4
`
`

`

`Patent Application Publication Aug. 25,2005 Sheet 4 of 29
`
`US 2005/0184163 Al
`
`Create Java Card |
`210
`
`|
`
`
`25
`
`; Preload
`
`- Applications
`
`
`Issue Card
`(Personalization)
`_.
`220
`
`
`
`
`
`
`
`Add/Remove
`Applications.
`"235 -
`
`Terminate Card
`240
`
`
`.
`
`Figure 2
`
`5
`
`

`

`Patent Application Publication Aug. 25, 2005
`
`Sheet 5 of 29
`
`US 2005/0184163 Al
`
`ZOLPaeDACL
`
`pueWOU‘Wd-Aiowey
`
`pyleWOudaa
`
`o1ydesBo}dAy
`
`
`
`ZLesuojsuny
`
`i“logeTiemens
`
`
`
`ozeJUEWUONAUyeUy-uNYPuedBALL
`
`Besek]eagnoexypueg
`
`bzeyolddy
`
`
`
`s0]D9/9¢joOIddy
`
`ZLY
`
`
`
`
`
`WOSEWW[TEMol}4 €eunbi4.
`
`
`
`6
`
`

`

`Patent Application Publication Aug. 25,2005 Sheet 6 of 29
`
`US 2005/0184163 Al
`
`
`
`viseyiddy
`
`sayosdsazu]GIPied
`
`
`.
`
`Vily
`
`viorvaiy|
`
`alseyaiddy
`
`_soyasdsezuGIypie
`
`alr
`
`VLoraiv
`
`
`
`ZLp40}99]95Ja\ddy
`
`Phyeyeqpueg
`
`ZOLPuenBaer
`
`“aoesoso4oeg
`
`OFFseule]
`
`
`
`yaunbiy(|woese21049ee
`
`VObpAxoid
`
`alyAxoig
`
`sayasdsazu|
`
`VLLS
`
`gOLyAxoidg
`
`divAxoid
`
`49791010}
`
`atts
`
`7
`
`
`
`
`
`

`

`Patent Application Publication Aug. 25,2005 Sheet 7 of 29
`
`US 2005/0184163 Al
`
`Other 5026
`
`Firewall ID 502A
`
`Appiet ID 502B
`
`
`
`
`Figure 5
`
`AID Interpreter 411
`
`Buffer 561
`
`[Byte Array]
`
`Figure 5A
`
`
`
`
`AID Interpreter 411.
`
`.
`
`
`
`
`
`
`Object 542
`
`RID
`Object 540
`
`Firewall ID
`Object 541
`
`Applet ID
`
`[Byte Array]
`
`[Byte Array]
`
`[Byte Array]
`
`Figure 5B
`
`8
`
`

`

`Patent Application Publication Aug. 25,2005 Sheet 8 of 29
`
`US 2005/0184163 Al
`
`AID Interpreter 41 1°
`
`
`
`
`
`Firewall ID
`RID
`Object 541
`Object 540
`
`
`
`
`
`
`Applet iD
`Object 542
`
`Buffer 564
`
`[Byte Array]
`
`Figure 5C
`
`AID Interpreter 411
`
` womens neAetene:
`Poorereee r
`sererns
`'FirewallID;
`| Applet ID |
`i Object 541;=| Object 542|
`ew ccnsemrarcesneeasasweer
`et eeeeres eeneceeseaerent
`:
`}
`{
`‘
`
`
`
`
`
`Buffer 564
`
`)
`
`[Byte Array]
`
`Figure 5D
`
`9
`
`

`

`Patent Application Publication Aug. 25,2005 Sheet 9 of 29
`
`US 2005/0184163 Al
`
`|Find AID Interpreter 684
`
`Compare AID
`parameters 693
`
`match 694 ?
`
`Last Applet 695 ?
`
`Receive AID parameters
`674
`|
`
`
`
`
` AID parameter
`
`
`
`
`Report No Match 699
`
`Yes
`
`Yes
`
`Obtain Whole AID from
`AID interpreter 696
`
`
`
`Figure 6 .
`
`10
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 10 of 29
`
`US 2005/0184163 Al
`
`
`
`
`
`.
`
`Ap plet ID 674
`
`Call RID match 682
`
`684
`
`Yes
`
`Call Firewall match 686
`
`Yes
`
`
`
`
`
`
`
`
`
`Select Next Applet 697
`
`Firewall
`
`match 7
`688
`
`Yes
`
`Call Applet match 690
`
`ia2a
`
`Report No Match 699
`
`Yes
`
`Obtain Whole AID 696
`
`Figure 6A
`
`11
`
`11
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 11 of 29
`
`US 2005/0184163 Al
`
`Receive RID, FW ID,
`Applet ID 674
`
`
`
`
`
`Select First Applet 680
`
`Find AID Interpreter 681
`
`Retrieve RID 682B
`
`
`
`
`
`
`Yes
`Retrieve Firewall ID
`686B -
`
`
`
`
`
`
`
`Yes
`Select Next Applet 697
`
`
`
`Firewall
`
`match ?
`
`688 Yes
`
`
`
`Retrieve Applet ID 690B
`
`Yes
`
`Yes
`
`Obtain Whole AID 696
`
`Report Error 699
`
`Figure 6B
`
`12
`
`12
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 12 of 29
`
`US 2005/0184163 Al
`
`Receive RID, FW ID,
`Applet ID 674
`
`Select First Applet 680
`
`Find AID Interpreter 684
`
`Retrieve RID, Firewall
`ID and Applet ID 682C
`
`
`Firewall
`match 7
`688
`
`Select Next Applet 697
`
`
`
`
`
`
`
`692 Yes
`
`
`
`
`Applet
`
`Match 7
`
`
`
`Obtain Whole AID 696
`
`Yes
`
`Report Error 699
`
`Figure 6C
`
`13
`
`13
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 13 of 29
`
`US 2005/0184163 Al
`
`
`Receive RID, FW ID,
`Applet ID 674 .
`
`Select First Applet 680
`
`Find AID Interpreter 681
`
`Call RID, Firewall ID and
`Applet ID match 682D
`
`Firewall
`match ?
`688
`
`
`
`
`
`
`
`
`
`
`Select Next Applet 697
`
`Yes
`
`Obtain Whole AID 696
`
`Yes
`
`Report Error 699
`
`Figure 6D
`
`14
`
`14
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 14 of 29
`
`US 2005/0184163 Al
`
`
`
`Receive AID parameters
`674
`
`‘Find AID interpreters
`for all applets 681E
`
`
`
`
` Compare AID
`
`parameters for each
`applet 693E
`
`
`
`matching Al
`parameter set
`
`
`
`interpreter 696
`
`Obtain Whole matching
`AID from AID
`
`Report No Match 699
`
`
`
`Figure 6E
`
`15
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 15 of 29
`
`US 2005/0184163 Al
`
`
`Request card AID
`parameters 604
`
`
`
`
`Receive card AiD
`parameters and AID for
`each applet 606
`
`
`
`
`
`
`
`
`
`Any
`matching AID
`
`parameter set
`
`
`Report No Match 699
`
`
`Compare AID
`parameters for each
`applet 608
`
`Yes -
`
`Supply whole AID to
`card to launch
`matching applet 612
`
`Figure 6F
`
`16
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 16 of 29
`
`US 2005/0184163 Al
`
`Call AID Interpreter for AID
`710
`
`Access Stored AID 720
`
`Dynamic Data to
`add to AID 730 ?
`
`
`
`
`
`
`
`
`
`
`
`AID 735 |!
`
`
`
`eeeeeAssemble|
`complete |
`
`Call Applet for Dynamic Data
`740
`
`No
`
`
`
`Receive Dynamic Data into
`AID interpreter 750
`
`Add Returned Dynamic Data
`to AID 760
`
`Lecncncrenemene cowerweenn teens seeernenas pecs ews cmmemeerareremesenesapenrens cece rertsbneseeeeeee
`
`Return Complete AID 770
`
`Figure 7
`
`17
`
`17
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 17 of 29
`
`US 2005/0184163 Al
`
`Request Application using
`Parameters 8005
`
`Receive AID of matching
`application from Card 8010
`
`Access RID in received AID
`8020
`
`Session 8060
`
`Derive Network Resource
`Identifier from RID 8030
`
`Send Request to Network
`Resource Identifier 8040
`
`Receive Material over
`network 8050
`
`Use Material to Support
`
`Figure 8
`
`18
`
`18
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 18 of 29
`
`US 2005/0184163 Al
`
`Perform look-up of URL from
`RID 8030A
`
`URL 8040A
`
`Download code/data from
`
`Figure 8A
`
`Use RID in searchstring for
`first URL 8030B
`
`Send search requestto first
`URL 8040B
`
`second URL 8060B
`
`Receive second URLin
`responseto search request
`8050B
`
`Download code/data from
`
`Figure 8B
`
`19
`
`19
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 19 of 29
`
`US 2005/0184163 Al
`
`Receive AID mapping over
`network 8050C
`
`AID from card 8060C
`
`Use AID mapping to decode
`
`Figure 8C
`
`_ Terminal
`
`Server
`
`Receive Request 8043
`
`
`Select material based on AID
`
`
`
` Send network requestfor
`
`materialincluding AID 8040D
`
`8046
`
`
`
`
`Return selected material
`Receive Material over
`8049
`network 8050D
`
`
`
`
`
`Figure 8D
`
`20
`
`20
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 20 of 29
`
`US 2005/0184163 Al
`
`- Derive Network
`
`Address from RID
`8030E
`
`
`
`
`
`
`
`Is material
`
`
`from address
`
`
`already at terminal
`
`? 8033E
`
`Send Request td
`Network Address 8040E
`
`
`
`Use Material to Support|
`Session 8060E
`
`-
`
`
`
`Receive Material over
`Network 8050E
`
`Figure 8E
`
`Terminal
`
`.
`
`.
`
`Server
`
`| Send network requestfor
`materia! including AID 8040F
`
`’ Recelve Request 8043F
`
`8049F
`
`Extract material from AlD
`8046F
`
`Receive Material over
`network 8050F
`
`Return extracted material
`.
`
`Figure 8F
`
`21
`
`21
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 21 of 29
`
`US 2005/0184163 Al
`
`1st Server
`
`2nd Server
`
`Receive AID from Terminal .
`at first server 9010
`
`Access RID in AID 9020
`
`Determine second server
`associated with RID 9030
`
`Server 9045
`
`Send Requestto second
`server 9040
`
`Receive Request at Second
`
`
`
`Identify JADfile based on
`
`
`AID at second server 9050
`
`
`
`9060
`
`Receive URL to JAD from
`second serveratfirst server
`— 9065
`
`Return URL to JAD from
`second serverto first server |
`
`Return URLfor JADfile from
`
`first server to terminal 9070
`
`
`
`Figure 9
`
`22
`
`22
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 22 of 29
`
`US 2005/0184163 Al
`
`0S8YIOMjON
`
`0}}sanbey
`
`sosTHN
`
`
`
`908aBeyaegapog©
`
`
`
`peojumogepod
`
`ews
`
`c98
`
`OLany
`
`alyAxoig bseyaddy
` OFF
`
`feujuual
`
`ZOLPIED
`
`alypseD
`
`saya1dlazu}
`
`LLP
`
`
`
`Lb8J9}a1d293U)
`
`THN<Gig
`
`oresim
`
`alv
`
`LOP
`
`
`
`
`
`908eBEYIed@POD)bons
`
`so8THN
`
`23
`
`23
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 23 of 29
`
`US 2005/0184163 Al
`
`apos
`
`908o6ex9eg
`
`TaN<aly
`
`Gurddew
`
`div
`
`Lov
`
`LorCIV ObDjeusuay
`ZOLPueD
`
`bseyo1ddy
`
`saqaudiaquTeykx;\daqjaidiazu]
`
`‘LLY
`
`alypieg
`
`0S844OMNON
`
`epod vs08
`
`peojumog
`
`TUNSPpoD
`
`908ysanboy
`
`
`
`LLounb)4908eBeyaeg
`
`apog
`
`
`
`peojumogspo)
`
`098dS
`
`peojumog
`
`g08sanbay
`
`epoa
`
`o}jsanbay
`
`
`
`$08THN.849d
`
`JePoy0}sonbay
`
`S08THN
`
`ays[PuOd
`
`798
`
`24
`
`24
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 24 of 29
`
`US 2005/0184163 Al
`
`
`
`
`Obtain RID from card
`1110
`
`
`Does RID
`
`match default AID
`
`interpreter ?
`naan
`1120
`
`
`Download AID
`interpreter for RID 1130
`
`
`
`
`
`
`
`
`
`
`
`Download
`Successful ?
`1140
`
`
`
`
`Use Downloaded
`Use Default Interpreter|.
`
`
`Interpreter for Session
`for Session 1155
`1150
`
`
`Process Session 1160
`
`Figure 11A
`
`25
`
`25
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 25 of 29
`
`US 2005/0184163 Al
`
`TERMINAL
`
`140
`
`CARD 1
`
`Detect Card Insert
`162
`
`Activate Card
`464
`
`[PowerUp___) Card is Activated
`Power Up
`172
`
`- RequestSet of
`AlDs 1245
`
`Receive Request
`1254
`
`Obtain all AlDs
`1256
`
`Recelve AIDs 1246
`
`Return AIDs 1258
`
`Extract R!IDs 1247
`
`Obtain proxy AID
`Interpreter(s) 1248
`
`Match RID,
`Firewalt and
`Applet IDs 1249
`
`Select Applet to
`Launch 182
`
`Launchselected
`Applet 190
`
`Figure 12
`
`26
`
`26
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 26 of 29
`
`US 2005/0184163 Al
`
`Extract RID
`
`/ 4247, RID Match ?
`
`4212
`
`
`No
`
`Discard AID |
`"4230. |
`
`Determine Proxy AID '
`interpreter.1214
`
`
`
`
`
`
`
`Install Proxy AID Interpreter
`1216
`
`
`
`
`
`
`Initialize Proxy AID
`.| Interpreter with received AID
`1218
`:
`
`Figure12A
`
`Determine Proxy 1330 |
`Install Proxy 1332 Initialize Proxy with Proxy
` ~
`
`
`
`AID Interpreter 1334
`
`Figure 13A
`
`27
`
`27
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 27 of 29
`
`US 2005/0184163 Al
`
`CARD 102
`
`162a ‘|
`
`‘Detect Card Insert
`
`Activate Card
`164
`
`p
`
`U
`
`Card is Activated
`172.—
`
`Requestsets of
`_ AlDand
`Parameters 1345
`
`.
`
`.
`
`Receive Request
`4354
`,
`
`Obtain all
`Parameters and
`AlDs 1356
`
`Return Parameters
`and AlDs 1358
`
`Receive
`Parameters and
`AIDs 1346
`
`Match Parameters
`- to Applications
`1347
`
`Present Options to
`User 1348
`
`Receive User
`Selection 1349
`
`Select Applet to
`Launch 182
`
`Launch selected
`Applet 190
`
`a
`
`Figure 13
`
`28
`
`28
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 28 of 29
`
`US 2005/0184163 Al
`
`instantiation 1020
`
`Load Java Classes onto .
`
` - Card.1010
`
`
`
`
`Initialization 1030
`
`
`
`
`
`_[-Remaining Initialization and
`Personalization “1050
`
`
`
`
`
`
`
`Configuration1040
`
`
`
`Figure 14
`
`29
`
`29
`
`

`

`Patent Application Publication Aug. 25, 2005 Sheet 29 of 29
`
`
`
`Call applet method for AID
`Interpreter creation 1510
`
`
`
`
`
`7ssssssunssseueeveencearsssesasenssesvesandensnaessenserezeseceesecnsenveececatantenes
`Form AID with configuration
`information 1520
`
`US 2005/0184163 Al
`
`!
`
`1020,
`
`|
`
`i
`
`|
`
`|
`
`i
`
`—_
`
`i
`
`:
`7
`
`i
`
`|
`
`
`
`Pass AID Interpreter new AID
`1530
`
`Save AID onto card 1540
`,
`
`
`
`
`
`
`Read configuration
`information from new AID
`1550
`
`
`
`
`
`Configure In accordance
`with AID 1560
`
`
`1040!
`
`Figure 15
`
`30
`
`i
`
`1030;
`
`|
`|
`:
`
`|
`|
`
`|
`
`30
`
`

`

`US 2005/0184163 Al
`
`Aug. 25, 2005
`
`METHOD AND APPARATUS FOR PROCESSING
`AN APPLICATION IDENTIFIER FROM A SMART
`CARD
`
`CROSS REFERENCE TO RELATED
`APPLICATIONS
`
`[0001] This application is related to the following:
`
`, filed
`[0002] U-S. patent application Ser. No.
`Feb. 24, 2004 in the name of inventor Eduard K. de
`Jong, entitled “Method and Apparatus for Providing
`an Application on Smart Card”, Attorney Docket No.
`SUN-P9176, commonly assigned herewith;
`
`
`, filed
`[0003] U.S. patent application Ser. No.
`Teb. 24, 2004 in the name of inventor Eduard K. de
`Jong, entitled “Method and Apparatus for Installing
`an Application Onto a Smart Card”, Attorney Docket
`No. SUN-P9177, commonlyassigned herewith; and
`
`» filed
`[0004] US. patent application Ser. No.
`Feb. 24, 2004 in the name of inventor Eduard K. de
`Jong, cntitled “Mcthod and Apparatus for Sclecting
`a Desired Application on a Smart Card”, Attorney
`Docket No. SUN-P9178, commonly assigned here-
`with.
`
`FIELD OF THE INVENTION
`
`[0008] An Application Programming Interface (API) is
`defined for the Java Card platform. Applications written in
`the Java programming language invoke this API to access
`the Java Card run-time environment (JRE) and any native
`services. The Java Card API allows application portability,
`in that the same application can run on any smart card that
`supports the API. The Java Card API is compatible with
`international standards,
`in particular the ISOAEC 7816
`family of standards.
`
`[0009] Note that programs that run on smart cards maybe
`referred to as either an application or as an applet. It will be
`appreciated that there is a clear distinction between a Java
`applet and a Java application in a desktop environment, in
`particular the absence of a main class from the former.
`Ilowever, this distinction does not apply in the smart card
`environment. Thus applets for use on a Java card platform
`are not the same as applets that run on a web browser. The
`term applet will generally be used hereinto refer specifically
`to code, and the term applicationto refer to the higher level
`functionality provided by the applet code and associated
`data (unless the context requires otherwise).
`
`[0010] The Java Card platform supports multiple applica-
`tions on a single card. These may be separated byfirewalls,
`in order to ensure that they do not interfere with one another.
`This is particularly of concern if the various applications arc
`operated bydifferent organizations, whose businessrelation-
`ships with the cardholder may be independent of one
`another.
`
`[0005] The present invention relates to the field of com-
`puter science. More particularly,
`the present
`invention
`relates to processing an application identificr from a smart
`[0011] FIG.1is a high-level schematic diagram illustrat-
`card.
`ing the main architectural components in a typical smart
`card application. In particular, smart card 102 belonging to
`cardholder 101 interacts with a terminal 110 by exchanging
`an application protocol data unit (ADPU) 108. The format
`for the ADPU is defined by the International Standard
`ISOAEC7816-3.
`
`BACKGROUND OF THE INVENTION
`
`[0006] Most people now have a collection of small plastic
`cards, representing various credit cards, store cards,identity
`cards, membership cards, and so on. Information about the
`card and its owncr, such as account dctails and so on, is
`normally printed or embossed on the card, and may also be
`stored in some form of magnetic strip. Note that such cards
`are simply passive storage devices, and the informationthat
`they contain is fixed at card creation time.
`
`In recent years, smart cards have also proliferated.
`[0007]
`These are similar in scale to traditional credit cards, but
`incorporate within their plastic cases a microelectronic
`memory and also (optionally) an embedded processor. It will
`be appreciated that the computational resources available
`within a smart card are extremely limited compared to those
`of a desktop workstation, or even a laptop or handheld
`device. One especially popular form of smart card is known
`as a Java Card. Thisis based on the Java platform devcloped
`by Sun Microsystems (“Java” and “Java Card” are trade-
`marks of Sun Microsystems Inc). In such devices, a Java
`virtual machine (VM)is provided within the smart card to
`allow the execution of Java applets or applications. Particu-
`lar advantages of being able to use the Java environmentfor
`smart card applications are the inherent security features of
`the Java environment, plus the ready availability of software
`development packages for the Java programming language.
`It is estimated that by the end of 2002 over 200 million Java
`cards had been shipped. More information about the Java
`Card smart card platform is available from the page: /prod-
`ucts/javacard/at the web site: http://java.sun.com and from
`the site: http://www.javacardforum.org/.
`
`[0012] Terminal 110 may be a handheld device, an adjunct
`to a desktop workstation, a dedicated card reader (analogous
`to an ATM) or anyother suitable system. Furthermore, the
`communications between the smart card 102 and the termi-
`nal 110 may be by wired connection, such as some form of
`bus (c.g. USB), or by wircless link (c.g. radio or some other
`electromagnetic signal), depending on the particular devices
`concerned. In addition, the terminal 110 may be under the
`direct control of an operator 111 (such as for a handheld
`terminal), or alternatively terminal 110 maybe automated
`(such as for an ATM).
`
`[0013] Terminal 110 interacts with a back office 130 over
`any suitable form of network 120, such as the Internet, a
`local area network (LAN), a wide area network (WAN), and
`so on. Back office 130 may comprise multiple systems (not
`explicitly shown in FIG. 1), such as a web server or portal
`attached to network 120, perhaps with an application server
`and/or a database system behind. Note that the terminal 110
`
`
`may be off-line until activated by a smart card 102, a card
`
`
`holder 101 or a terminal operator 111 to access a back office
`130 over nctwork 120.
`
`In opcration, the cardholder 101 typically places
`[0014]
`the card 102 into or adjacent to the terminal 110, thereby
`allowing the twoto interact, e.g. to perform a debit operation
`from the card,
`in order to purchase some goods. This
`interaction will generally be referred to herein as a session,
`
`31
`
`31
`
`

`

`US 2005/0184163 Al
`
`Aug. 25, 2005
`
`and typically involves the exchange of multiple messages
`between the smart card 102 and the terminal 110. A session
`can be regarded as comprising multiple transactions, where
`each transaction represents the completion of some portion
`of the overall session (e.g. a security authorization).
`
`[0015] Associated with each applet on smart card 102 is an
`Application Identifier (AID). The AID is a byte string up to
`16 bytes long, whose format is defined by International
`Standard ISOMEC7816-5. Thus according to this standard,
`the first 5 bytes of the AID represent the registered appli-
`cation provider identifier (RID) and have a value allocated
`by ISO or one of its member bodies. The RID generally
`indicates the merchant or other entity involved with oper-
`ating the applet, hercinafter referred to as the RID operator.
`The RID operatoris generally responsible for the backoffice
`program 130, and is depicted as application/RID operator
`131 in FIG. 1. The last 11 bytes of the RID constitute the
`proprietary application identifier extension (PLX). ‘The PLX
`is determined by the RID operator 131, and can be used to
`store a reference number or other information associated
`with the applet.
`
`[0016] FIG. 1A illustrates the storage of the AID on a
`typical smart card 102. The AID bytes are stored in a byte
`array, which represents internal storage for a Java AID
`object 161. Applications can therefore access the AID by
`making appropriate calls to AID object 161, which in effect
`provides a wrapper for the underlying byte array.
`
`International standard ISO/EC 7816-4 defines a
`[0017]
`procedure to allow a terminal to locate a desired application
`on a smart card, and this is illustrated at a high level in the
`flowchart of FIG. 1B. The procedure staris when the smart
`card 102 is first inserted into the terminal 110. The terminal
`
`detects the insertion of the smart card (reference numeral
`162), and in response to such detection activates the smart
`card (reference numerals 164, 172). This activation typically
`includes providing power to the smart card.
`
`[0018] The terminal nowsends a request using an appli-
`cation protocol data unit (ADPU) 108 to the smart card
`(reference numeral 166). The ADPUidentifies the applica-
`tion to be usedin this session in termsof its AID. ‘The request
`from the terminal is received by the smart card (reference
`numeral 174), typically within an applet selector program
`that is running on the smart card 102 as part of a card
`executive layer. The applet selector is then responsible for
`locating and launching the application that matches the AID
`request from the terminal, ie. the application that has the
`same AID as specified in the request (reference numerals
`176 and 177). The smart card also returns the AID for the
`matching application back to the terminal 110 (reference
`numerals 179 and 180). (N.B. Reference numerals 179 and
`180 are optional within the context of ISO/IEC 7816-4,
`although commonly implemented).
`
`[0019] FIG. 1C describes a variation on the above
`approach (also in accordance with ISOMEC 7816-4),
`in
`which the terminal 110 supplies the card with a truncated
`AID (knownasa partial AID), for example the first ten bytes
`of an AID. In these circumstances, there may be multiple
`matches against the partial AID. For example, if two applets
`have AIDsthat havethe first ten bytes in common,and then
`differ only in the final six bytes of the AID, they will both
`match the samepartial AID of length 10 bytes (or less). One
`
`reason for using a partial AID might be if the terminal 110
`wants to identify all applets on the card having a particular
`RID.
`
`[0020] The processing of FIG. 1C commences as just
`described for FIG. 1B, except that at reference numeral 166
`the request from the terminal 110 to the smart card 102
`comprises only a partial AID. Consequently, the smart card
`may identify multiple matching applications at reference
`numeral 176. The AIDs for these matching applications arc
`then returned to the terminal 110 (reference numerals 179,
`180), in order to allow the terminal (or user) to select a
`specific desired application from those matching the partial
`AID. Thus the terminal nowsends a request to the smart card
`to launch an applet (reference numeral 182). This request
`specifies the particular applet to be launched on the smart
`card in terms of its complete AID (generally selected from
`the set of those received from the smart card at reference
`
`numeral 180). The smart card duly respondsto this request
`by launching the applet selected by the terminal (reference
`numeral 190).
`[0021]
`In fact, the skilled person will realize that although
`FIG. 1C represents an appropriate logical modcl for the usc
`of partial AIDs, the actual implementation looks more like
`FIG. 1B (primarily for historical reasons). Thus current
`systems generally accommodate the matching and return of
`multiple matching AIDsbyidentifying only a single match-
`ing AID at a time. In particular, the applet having the AID
`that is first matched to the partial AID received from the
`terminal is launched, and the complete AID for this applet is
`returned to the terminal 110.
`‘The smart card then only
`supplies a next matching AID upon a subsequent specific
`request from the terminal. Nevertheless, it will be appreci-
`ated that multiple matching AIDs could be handled in other
`ways, such as by returning the complete set of multiple
`matching AIDs all at once in a single response to the
`terminal (as depicted in FIG. 1C).
`[0022] FIG. 2 is a schematic diagram representingthe life
`cycle of a smart card, whichinthis particular implementa-
`tion is a Java Card. This life cycle commences with the
`manufacture of the card, and the initial loading of the base
`operating system and the Java Card environment(reference
`numeral 210). Also at this stage, one or more applications
`maybe preloaded (reference numeral 215). Generally, the
`base operating system and Java Card environment, and also
`potentially any preloaded applications, may be stored in
`ROMonthe smart card 102 as part of the manufacturing
`process.
`
`‘Ihe card is now ready for issue to a cardholder
`[0023]
`(reference numeral 220), which typically involves an appro-
`priate personalization process, as well as initialization of the
`Java environment, and starting the Java virtual machine on
`the card. The cardholder is thereafter able to use the card
`
`(reference numeral 230), such as in the manner illustrated
`schematically in FIG. 1. Note that if the card wasoriginally
`issued without any preloaded applications, then the card-
`holder may have to load an application prior to making
`substantive use of the card. In practice however,this situa-
`tion is rathcr uncommon, since usually there is at least onc
`preloaded application in order to motivate issuance of the
`card in the first place.
`
`[0024] During the operationallifetime of the card, further
`application programs may potentially be installed onto the
`
`32
`
`32
`
`

`

`US 2005/0184163 Al
`
`Aug. 25, 2005
`
`card (reference numeral 235), for example if the cardholder
`signs up to new accounts or services. Conversely, applica-
`tions may be removed from the card, perhaps because an
`account is closed.
`
`[0025] The last operation shown in FIG. 2 is where the
`card is terminated (reference numeral 240). This may occur,
`for example, because the card has a built-in expiry date or
`is surrendered by the user (perhaps if the user is moving to
`a newcard issuer, or the card is physically damaged).
`
`[0026] Although the Java Card environment does support
`multiple applications from different RID operators, never-
`thcless,
`in practicc,
`the installed applications on a large
`majority of issued cards come from and are run bya single
`RID operator. In other words, applications from one RID
`operator are typically found on one card, and applications
`from another RID operator on a different card. Conse-
`quently,
`relatively little attention has been paid to the
`business and technical problems associated with the provi-
`sion and utilization of multi-vendor smart cards.
`
`SUMMARYOF THE INVENTION
`
`[0027] An application identifier (AID) for an application
`installed on a smart card comprises a registered application
`provider identifier (RID). The AID maybe processed by
`determining the RID for an application from the AID of the
`application, generating an identifier for a network resource
`from the RID, transmitting a request to the network resource
`using, the identifier, and receiving a response to the request.
`‘The response comprises material for use in handling the
`application on the smart card.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0028] The accompanying drawings, which are incorpo-
`rated into and constitute a part of this specification,illustrate
`one or more embodiments of the present invention and,
`together with the detailed description, serve to explain the
`principles and implementations of the invention.
`
`[0037] FIG. 5 illustrates the composition of an AID in
`accordance with one embodimentof the invention.
`
`[0038] FIGS. 5A, 5B, 5C, and 5D illustrate the structure
`of an AID interpreter in accordance within certain embodi-
`ments of the invention.
`
`[0039] FIG. 6 is a flowchart depicting a procedure for
`matching an applet on a card in accordance with certain
`embodiments of the invention.
`
`[0040] FIGS. 6A through 6E are flowcharts illustrating in
`more detail the procedure of FIG. 6 in accordance with
`various embodiments of the invention.
`
`[0041] FIG. 6F is a flowchart depicting a procedure for
`matching in the terminal an applet on a card in accordance
`with one embodimentof the invention.
`
`illustrating a smart card
`[0042] KIG. 7 is a flowchart
`dynamically gencrating an AID to provide to a terminal in
`accordance with one embodiment of the invention.
`
`to
`[0043] FIG. 8 illustrates a procedure for a terminal
`utilize an AID to obtain code or information to support
`processing the AID in accordance with onc embodiment of
`the invention.
`
`[0044] FIGS. 8A through 8F illustrate aspects of the
`processing of FIG.8 in more detail for various embodiments
`of the invention, comprising some of the processing per-
`formed at a server.
`
`[0045] FIG. 9 illustrates the server processing for a
`request from a terminal in accordance with one embodiment
`of the invention.
`
`[0046] FIGS. 10 and 11 are schematic diagrams of the
`components involved in utilizing an AID to obtain code or
`information to support processing the AID im accordance
`with two different embodiments of the invention.
`
`FIG.11A illustrates the use of a default proxy AID
`[0047]
`interpreter in accordance with one embodimentof the inven-
`tion.
`
`
` [0053] FIG. 15 is a flowchartillustrating the usc of the
`
`[0049] FIG. 12A is a flowchart illustrating some of the
`operations of the procedure of FIG. 12 in more detail in
`accordance with one embodiment of the invention.
`
`[0050] KIG. 13 is a flowchartillustrating a procedure for
`a terminal to identify a matching application in accordance
`with one embodimentof the invention.
`
`[0051] FIG. 13Ais a flowchartillustrating the selection of
`proxy program on the terminal
`in accordance with one
`embodiment of the invention.
`
`[0052] FIG. 14 is a flowchartillustrating the installation
`of an application comprising an AID onto a smart card in
`accordance with one embodiment of the invention.
`
`AID to hold configuration data in the flowchart of FIG. 14.
`
`DETAILED DESCRIPTION
`
`are
`invention
`present
`the
`of
`[0054] Embodiments
`described herein in the context of processing an application
`
`33
`
`[0048] FIG. 12 is a flowchart illustrating a procedure for
`a terminal to obtain a set of AIDs from a smart card in
`[0030] FIG.1is a schematic diagram illustrating the main
`accordance with one embodiment of the invention;
`components involved in a typical smart card application.
`
`[0029]
`
`In the drawings:
`
`[0031] FIG. 1A is a schematic diagram representing the
`implementation of an AID object in a typical existing smart
`card.
`
`[0032] FIG. 1B is a flowchart whereby a terminal selects
`and launches one application out of potentially multiple
`applications on a smart card by providing a full AID to the
`smart card.
`
`[0033] FIG. 1C is a flowchart whereby a terminal selects
`and launches one application out of potentially multiple
`applications on a smart card using partial AID matching.
`
`[0034] FIG. 2 is a schematic diagram illustrating the
`typical life cycle of a smart card.
`
`[0035] FIG. 3 is a schematic block diagram representing
`at a high level the structure of a typical smart card.
`
`[0036] FIG. 4 is a schematic diagram illustrating the
`interaction between a smart card and a terminal in accor-
`dance with one embodimentof the invention.
`
`
`
`33
`
`

`

`US 2005/0184163 Al
`
`Aug. 25, 2005
`
`identifier from a smart card. Those of ordinary skill in the art
`will realize that the following detailed description of the
`present inventionis illustrative only and is not intended to be
`in any way limiting. Other embodiments of the present
`invention will readily suggest themselves to such skilled
`persons having the benefit of this disclosure. Reference will
`now be made in detail to implementations of the present
`invention as illustrated in the accompanying drawings. The
`same reference indicators