as) United States
`a2) Patent Application Publication 0) Pub. No.: US 2004/0083380 Al
`(43) Pub. Date: Apr. 29, 2004
`
`Janke
`
`US 20040083380A1
`
`(54) SECURITY MODULE WITH VOLATILE
`MEMORYFOR STORING AN ALGORITHM
`CODE
`
`(76)
`
`Inventor: Marcus Janke, Munchen (DE)
`
`Correspondence Address:
`LERNER AND GREENBERG,P.A.
`POST OFFICE BOX 2480
`HOLLYWOOD, FL 33022-2480 (US)
`
`(21) Appl. No.:
`
`10/620,108
`
`(22)
`
`Filed:
`
`Jul. 15, 2003
`
`Related U.S. Application Data
`
`(63) Continuation of application No. PCT/EP02/00733,
`filed on Jan. 24, 2002.
`
`(30)
`
`Foreign Application Priority Data
`
`Feb. 16, 2001
`
`(DE)... ee eeeeeeeseeeneeeneees 101 07 373.9
`
`Publication Classification
`
`(SL) Ute C07 cacsccsssssssssssnssessesnstsntsnstsevee HO4L 9/00
`(52) US. Ch.
`cecescsssssssscnstssssetnsenssstn 713/194; 713/175
`
`(57)
`
`ABSTRACT
`
`Asecurity module for use with a terminal comprises a data
`interface adapted to be coupled to a terminal, for receiving
`at least part of an algorithm code or the complete algorithm
`code from the terminal, as well as an energy interface for
`receiving supply energy. A volatile memory coupled to the
`energy interface in order to have energy supplied thereto
`stores the part of the algorithm code or
`the complete
`algorithm code received via the data interface, with a
`processor performing the algorithm code in order to obtain
`an algorithm code result that can be delivered to the termi-
`nal. Due to the storing of at least part of an algorithm code
`in the volatile memory of the security module, according to
`the invention, the algorithm code of the security module is
`effectively protected against spying out by a potential
`attacker.
`
`20
`
`Terminal
`
`Chip card
`
`30
`
`Z
`
`Mutual authentication
`
`40
`
`Encrypted transferof part of the
`algorithm code with certificate
`
`50
`
` Storingin volatile
`memory
`
`
`
`
`
`
`
`
`
`Application of algorithm code
`
`Clearing of algorithm code
`(in particular in case of
`exeptions, such as system
`lock failure, power failure,...)
`
`
`
`1
`
`SAMSUNG 1022
`
`SAMSUNG 1022
`
`1
`
`

`

`Patent Application Publication Apr. 29, 2004 Sheet 1 of 3
`
`US 2004/0083380 Al
`
`20
`
`10
`
`Terminal
`
`Chip card
`
`Mutual authentication
`
`
`
`
`
`
`
`
`Encrypted transfer of part of the
`algorithm code with certificate
`
`50
`
` Storing in volatile
`
`memory
`
`Application of algorithm code
`
`Clearing of algorithm code
`(in particular in case of
`exeptions, such as system
`lock failure, power failure,...)
`
`
`
`FIG 1
`
`2
`
`

`

`Patent Application Publication Apr. 29, 2004 Sheet 2 of 3
`
`US 2004/0083380 Al
`
`100
`
`120
`
`
`Energy interface
`
`
`140
`
`110
`
`Data interface
`
`
`
`
`
`
`Processor
`
`FIG 2
`
`3
`
`

`

`Patent Application Publication Apr. 29, 2004 Sheet 3 of 3
`
`US 2004/0083380 Al
`
`210
`
`200 230
`
`
`
` Energyinterface
`
`Data interface
`
`
`
`FIG 3
`
`4
`
`

`

`US 2004/0083380 Al
`
`Apr. 29, 2004
`
`SECURITY MODULE WITH VOLATILE MEMORY
`FOR STORING AN ALGORITHM CODE
`
`CROSS-REFERENCE TO RELATED
`APPLICATION
`
`[0001] This application is a continuation of copending
`International Application No. PCT/EP02/00733, filed Jan.
`24, 2002, which designated the United States and was not
`published in English.
`
`BACKGROUND OF THE INVENTION
`
`[0002]
`
`1. Field of the Invention
`
`[0003] The present invention relates to security modules,
`as employed for example for pay TV applications, credit
`cards, telephone cards or as TPM plug-in cards, and refers
`in particular to securing the algorithm codethat is employed
`for the communication between security module and termi-
`nal against external attacks.
`
`[0004]
`
`2. Description of the Related Art
`
`[0005] With the increasing advent of cashless payment
`traffic and the increasing information-technological net-
`working as far as into individual households, such as e.g. in
`case of pay TV applications, there is an increasing demand
`for cryptographic algorithms in order to be able to perform
`digital signatures, authentications and encryption tasks.
`Known cryptographic algorithms comprise asymmetric
`encryption algorithms, such as e.g.
`the RSA algorithm,
`symmetric encryption processes, such as e.g. the DSE pro-
`cess, as well as processes based onelliptic curves.
`
`In order to be able top perform the computations
`[0006]
`prescribed by the cryptographic algorithms in everydaylife
`with an acceptable speed on the one hand and in as conve-
`nient mannerfor the user as possible on the other hand, chip
`cards, such as smart cards or signature cards, are employed
`comprising an individually provided cryptographic proces-
`sor for implementing the cryptographic algorithm. Depend-
`ing on the particular application or use, the cryptographic
`processor must be capable of performing authentications,
`signatures, certifications and encryptions or decryptions in
`accordancewith different cryptographic algorithms. In addi-
`tion to implementation of the cryptographic algorithms, the
`chip card contains stored, chip card-specific information,
`such as a secret key and, in case of a credit card, the credit
`card number, the account number and the balance and, in
`case of a pay TV smart card, a smart card ID, a customer ID
`and other customer-specific information. A chip card enables
`the user of the chip card to carry out certain transactions,
`such as e.g. debiting, on specifically provided terminals or
`other end apparatus, such as pay TV decoders, in simple and
`efficient manner.In this regard, the cryptographic algorithms
`implemented on the chip card provide for protection of the
`chip card traffic against criminal manipulations.
`
`[0007] For protecting chip card terminal systems against
`criminal manipulations, specific protocols are employed
`between terminal and chip card, comprising e.g. mutual
`authentication as well as encryption and decryption opera-
`tions making use of the cryptographic algorithms imple-
`mented in the cryptographic processor. A problem with
`conventional chip cards consists in that the algorithms used
`for the secret functions, e.g. for encryption, are fixedly
`provided on the chip card in the form ofa fixed wiring and/or
`
`in stored form and thus are susceptible to being spied out by
`potential attackers. Spying out of cryptographic algorithms
`implemented in chip cards by an attacker comprises, for
`example, the chemical removal ofthe circuit structure of the
`cryptographic processor and the optical analysis of the
`exposed semiconductorstructures. If an attacker, by way of
`the chip card in his possession, succeeds in obtaining the
`cryptographic algorithm implemented therein, the attacker
`will be in the position, due to his knowledge of the crypto-
`graphic algorithm and thus by the possibility of implement-
`ing the same, to carry out certain attacks against the chip
`card in order to obtain the secret data, such as the secret key
`or other data of crucial security of the chip card. When the
`underlying cryptographic algorithm is known, the attacks
`have a by far greater chance of success, and consequently
`the security chain of the chip card traffic is at risk.
`
`[0008] With conventional chip cards, the problem of spy-
`ing out is counteracted merely by specific hardware pro-
`cesses or technologies, such as by the hidden contact pro-
`cess.In case of this process, attempts are made to prevent the
`optical analysis of removed semiconductor structures and
`thus a conclusion to the underlying electronic circuit by
`means of hidden contacts and by the use of specific layout
`libraries for the underlying gates, in which different gates,
`such as AND gates and OR gates, differ from each other
`merely by different doping. These hardware concealing
`measures indeed increase the expenditure for finding out the
`underlying cryptographic algorithms
`for
`the potential
`attacker, but on the other hand increase also the circuitry and
`design expenditure, the chip area and thus the costs of the
`cryptographic processor and the chip card, respectively.
`
`[0009] Acchip card with increased security against foreign
`attacks and reduced circuit expenditure is very attractive for
`chip card manufacturers in particular with regard to the high
`market potential and the large numbers of pieces in which
`chip cards are produced.
`
`SUMMARYOF THE INVENTION
`
`It is the object of the present invention to make
`[0010]
`available a security module, a terminal and a process such
`that security module traffic with a higher level of security
`may be ensured.
`
`In accordance with a first aspect of the invention,
`(0011]
`this aspect is achieved by a security module for use with a
`terminal, comprising a data interface adapted to be coupled
`to a terminal, for receiving at least part of an algorithm code
`or of the complete algorithm code from the terminal, with
`the algorithm code concerning a processing of secrets, an
`energy interface for receiving supply energy from theter-
`minal; a volatile memoryfor storing the part of the algorithm
`code or the complete algorithm code received via the data
`interface, said volatile memory being coupled to the energy
`interface in order to have energy supplied thereto such that
`the same will be cleared upon an interruption of the receipt
`of the supply energy from the terminal; and a processor for
`performing the algorithm code in order to obtain an algo-
`rithm code result that can be delivered to the terminal.
`
`In accordance with a second aspect of the inven-
`[0012]
`tion, this aspect is achieved by a terminal for use with a
`security module, comprising: a data interface adapted to be
`coupled to the security module, for transmitting at least part
`of an algorithm code or the complete algorithm code from
`5
`
`5
`
`

`

`US 2004/0083380 Al
`
`Apr. 29, 2004
`
`the terminal to a volatile memoryof the security module and
`for receiving the algorithm code result from the security
`module, with the algorithm code concerning a processing of
`secrets; and an energy interface for delivering supply energy
`to the security module, with the volatile memory being
`supplied by the supply energy, such that the same will be
`cleared upon an interruption of the receipt of the supply
`energy from the terminal, with the terminal, for each com-
`munication operation between terminal and security module
`during one and the same communication operation with the
`security module, being designated to send atleast the part of
`the algorithm code or the complete algorithm code to the
`volatile memory of the security module; and, subsequently,
`during the further communication process, receive the algo-
`rithm code result from the security module.
`
`In accordance with a third aspect of the invention,
`[0013]
`this aspect
`is achieved by a process for computing an
`algorithm code result using a security module, comprising
`the steps of: receiving at least part of an algorithm code or
`the complete algorithm code by means of an energy inter-
`face, with the algorithm code concerning a processing of
`secrets; volatile-storing said part of the algorithm code or
`said complete algorithm code in a volatile memory of the
`security module, with the volatile memory being coupled to
`the energy interface, to be supplied with energy, such that the
`same will be cleared upon an interruption of the receipt of
`the supply energy from the terminal: performing said algo-
`rithm code on the security module in order to obtain an
`algorithm code result; delivering said algorithm code result
`to the terminal; and clearing said volatile memory upon an
`interruption of the receipt of the supply energy from the
`terminal.
`
`In accordance with a fourth aspect of the invention,
`[0014]
`this aspect is achieved by a process for controlling a security
`module using a terminalin order to obtain an algorithm code
`result from the security module, with the process comprising
`for each communication operation, performing the follow-
`ing steps during one and the same communication operation
`with the security module: delivering supply energy from the
`terminal to the security module; transmitting at least part of
`an algorithm code or the complete algorithm code from the
`terminal to a volatile memory of the security module; with
`the algorithm code concerning a processing of secrets, with
`the volatile memory being supplied by the supply energy,
`such that the same will be cleared uponan interruption of the
`receipt of the supply energy from the terminal; and receiving
`the algorithm code result from the security module.
`
`In accordance with a fifth aspect of the invention,
`[0015]
`this aspect is achieved by a process for communication
`between a security module and a terminal, comprising the
`steps of: transferring at least part of an algorithm codeor the
`complete algorithm code from the terminal to the security
`module, with the algorithm code concerning a processing of
`secrets; volatile-storing said part of the algorithm code or
`said complete algorithm code in a volatile memory of the
`security module, with the volatile memory being supplied by
`the supply energy; such that the same will be cleared upon
`interruption of the receipt of the supply energy from the
`terminal; performing said algorithm code on the security
`module in order to obtain an algorithm code result; deliv-
`ering said algorithm coderesult to the terminal; and clearing
`said volatile memory upon an interruption of the receipt of
`the supply energy from the terminal.
`
`[0016] The present invention is based on the finding that
`the security of a security module, such as e.g. a chip card,
`against foreign attacks may be enhancedinthatat leastpart
`of the algorithm code is not fixedly stored on the security
`module, but rather that this missing part of the algorithm
`code is stored in a volatile memory of the security module
`during communication between the terminal and the security
`module only, with the algorithm code comprising functions
`of crucial security, such as debiting functions, or crypto-
`graphic algorithmsor concerning the processing of secrets in
`general. It is thus effectively prevented that the complete
`algorithm code is provided on a security module in the
`power of a potential attacker, and consequently it will
`become impossible for the potential attacker to access the
`algorithm code in order to spy out secret keys or other secret
`data, and to run or perform the same in accordance with
`specific attack processes, using e.g. fault attacks or infor-
`mation leakage attacks. In other words,
`it will be made
`nearly impossible to a potential attacker to utilize the
`algorithm code, such as an encryption algorithm, in abusive
`manner since this code is not permanently stored on the
`security module in complete form and thus, outside the
`utilization at a corresponding terminal, is not in the posses-
`sion of the attacker.
`
`[0017] According to the invention, a security module, such
`as a chip card, comprises a TPM (Trusted Platform Module)
`in the form of a computer plug-in module or a smart card,
`for use with a terminal in addition to a data interface adapted
`to be coupled to the terminal and receiving from the terminal
`at least part of the algorithm code or the complete algorithm
`code, an energy interface receiving supply energy, as well as
`a volatile memory for storing the part of the algorithm code
`received via the data interface or of the complete algorithm
`code received, with the volatile memory being coupled to
`the energy interface in order to have energy suppliedthereto.
`A processor performs the algorithm code in order to obtain
`an algorithm code result that can be delivered to the termi-
`nal. The not received remainder of the algorithm code may
`be stored, for example, in a non-volatile memory, such as a
`ROM,ofthe security module. If there is not sufficient supply
`energy present, there is thus no complete algorithm code
`contained in the non-volatile memory of the security mod-
`ule, and consequently there is no complete algorithm code
`available to be run by a potential attacker.
`
`[0018] A terminal suitable for use with the security mod-
`ule described hereinbefore, such as e.g. an automatic cash
`dispenser, a mobile telephone with card reader, a pay TV
`decoder or a computer having a plug-in place for a TPM,
`comprises for example a data interface that is adapted to be
`coupled to the security module and transmits the part of the
`algorithm code or the complete algorithm code from the
`terminal to the volatile memory of the security module and
`receives the algorithm code result from the security module,
`as well as an energy interface delivering the supply energy
`to the security module.
`
`[0019] According to a specific embodiment, an authenti-
`cation, such as an authentication according to the challenge
`and response scheme, is carried out between the terminal
`and the security module during a communication between
`terminal and security module. The transfer of the algorithm
`code from the terminal to the security module is carried out
`in encrypted and certified form in order to counteract
`eavesdropping and manipulation of the communication con-
`6
`
`6
`
`

`

`US 2004/0083380 Al
`
`Apr. 29, 2004
`
`nection between terminal and security module. The terminal
`or the security module to this end contains suitable means
`for performing authentication, encryption and decryption as
`well as certification and certification examination, respec-
`tively. For increased security and for effectively preventing
`access of a potential attacker to the transferred part of the
`algorithm code, the security module may have in addition a
`monitoring means which, if predetermined security condi-
`tions are fulfilled, clears the volatile memory. Such security
`conditions may comprise the interruption, an irregularity
`and a fluctuation in the supply voltage and/or the processor
`or system clock or other operating parameters as they may
`be effected by manipulation of the security module while the
`latter interacts with the terminal.
`In the event
`that
`the
`
`monitoring means has not effected preliminary clearing of
`the memory, the volatile memory and thus the part stored of
`the algorithm codeis cleared at the latest upon termination
`of the communication between terminal and security module
`or upon interruption of the supply energy, respectively, such
`as e.g. by withdrawal or removal of the security module
`from the terminal, whereby this part of the algorithm code
`is no longer available to a potential attacker for performing
`in the scope of specific attacks.
`
`In order to further reduce the attackability of the
`[0020]
`it may be provided to transfer the part of the
`system,
`algorithm code from the terminal to the security module
`intermittently in modified form and repeatedly and, in doing
`so, to store each time the newly transferred, altered part of
`the algorithm code in the volatile memory instead of the old
`stored part of the algorithm code. This renders possible
`changes in a cryptographic algorithm during the communi-
`cation between terminal and security module, such as e.g. in
`case of pay TV applications, but also changes in the algo-
`rithm code each time upon initialization of a terminal-
`security module communication, such as e.g.
`in case of
`credit cards, wherebyit is further aggravated for a potential
`attacker
`to adjust
`to, or
`find out,
`the algorithm code
`employed.
`
`In addition to protecting the algorithm code of the
`[0021]
`security module against spying out by a potential attacker, an
`additional advantage of the present invention consists in that
`it is applicable to a multiplicity of application fields, such as
`e.g. EC cards, credit cards, multi-application cards or pay
`TV smart cards. Depending onthe particular application, the
`algorithm code or security function code received by the
`security module contains parts of a code for functions of
`crucial security or one or more cryptographic algorithms of
`the security module. For chip card producers or producers of
`security modules, the versatile applicability as well as the
`enhanced security against potential attacks means increased
`acceptance in the market and thus an increased marketshare.
`In addition thereto, the security of the security module is
`increased in inexpensive manneras the increased security is
`achieved by software loading of the volatile memory. The
`conventional and complex hardware measuresfor protecting
`the algorithm code against potential attackers, as described
`hereinbefore, may either be carried out in addition or be
`replaced by less expensive hardware techniques since the
`functions of crucial security or the underlying cryptographic
`algorithm of the security module are not permanently pro-
`vided on the chip card.
`
`alternative
`and further
`[0022] Further developments
`embodiments of the present invention are defined in the
`attached dependent claims.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0023] Preferred embodiments of the present invention
`will be elucidated in detail hereinafter with reference to the
`
`accompanying drawings in which
`
`[0024] FIG. 1 shows a schematic diagram illustrating the
`sequence of operations during communication of a chip card
`with a terminal according to the present invention;
`
`[0025] FIG. 2 shows a block diagram of a chip card
`structure according to an embodimentof the present inven-
`tion; and
`
`[0026] FIG. 3 showsa terminal construction according to
`an embodiment of the present invention.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENTS
`
`Itis pointed out that the following detailed descrip-
`[0027]
`tion of specific embodiments of the present invention refers
`to chip card applications by way of example only, and that
`the present invention is also applicable to other security
`modules, such as TPMs in the form of plug-in cards; the
`following description may easily be transferred to such
`applications. Accordingly,
`the following description also
`refers to terminals for chip cards, such as e.g. cash dispens-
`ing machines, by way of example only, although a terminal
`according to the present invention, in other fields of appli-
`cation, may also be a computer, for example, having a TPM
`in the plug-in spaces thereof, or a mobile telephone with a
`smart card in the card reader thereof, or the terminal may
`generally be an arbitrary apparatus capable of communicat-
`ing with the security module.
`
`[0028] Reference is madefirst to FIG. 1, illustrating the
`sequence of operations during communication between a
`terminal and a chip card, as it results for example when a
`chip card is introduced into a terminal. In case of chargeable
`radio broadcasting, the chip card may be, for example, a pay
`TV smart card and the terminal may be the respective end
`apparatus or decoder of a pay TV customer. In the event the
`chip card is a credit card, the terminal is a cash dispensing
`machine, for example.
`
`FIG.1 illustrates the chip card 10 and the terminal
`[0029]
`20 beside each other in the form of rectangles with rounded
`corners. Underneath the same, the various steps carried out
`during communication or interaction of the chip card 10
`with the terminal 20 are shown schematically by arrows and
`blocks in downward direction in the sequence of their
`occurrence. The directions of the arrows indicate the direc-
`tions of the data flows in which the data are transmitted,
`whereasthe blocks represent measures performed in the chip
`card 10.
`
`Thesteps illustrated in FIG. 1 have the prerequisite
`[0030]
`that a communication is already possible between the ter-
`minal and the chip card which, for example, may be the case
`upon introduction of the chip card into the terminal; in this
`regard,
`the terminal 20 may be a contactless or contact
`terminal, and the communication connection thus may take
`place without contact or via a contact.
`It
`is necessary
`7
`
`7
`
`

`

`US 2004/0083380 Al
`
`Apr. 29, 2004
`
`furthermore for communication that chip card 10 be sup-
`plied with energy from terminal 20, which may also be
`carried out in contactless manner via electromagnetic radia-
`tion or via a contact. After the communication connection
`
`between terminal 20 and chip chard 10 has been established
`and supply energy has been supplied to chip card 10,
`initializing steps may be carried out first, such as e.g. the
`mutual agreement on the relevant protocoletc.
`
`[0031] After the steps (not shown) of supplying energy to
`the chip card 10, establishing the communication connection
`as well as initializing the communication between terminal
`20 and chip card 10, mutual authentication between terminal
`20 and chip card 10 is carried out in a step 30, e.g. an
`authentication in accordance with the challenge
`and
`response process. The mutual authentication may comprise,
`for example, the inputting of a PIN (Personal Identification
`Number) by the card user, in which the mutual authentica-
`tion 30 makes use, for example, of chip card-specific data
`stored on the chip card 10, such as e.g. a chip card identi-
`fication number and a personal identification number, in
`connection with a chip card key stored on the chip card as
`well as an authentication code stored on the chip card and
`representing a cryptographic algorithm, such as e.g. a sym-
`metric or an asymmetric cryptographic algorithm. The
`authentication serves to make sure that only admitted chip
`cards may communicate with admitted terminals. If the
`authentication yields an error, the communication connec-
`tion is terminated.
`
`[0032] Upon successful mutual authentication 30, the ter-
`minal 20 in a step 40 transmits part of the algorithm code to
`the chip card 10 in encrypted and certified form. The
`encryption of the transferred part of the algorithm code
`protects the transmission against eavesdropping by a poten-
`tial attacker, while the certification in the terminal 20 of the
`chip card 10 is to provide a guaranteeas to the origin of the
`transferred part of the algorithm code. For decryption of the
`transferred part of the algorithm code and for examining the
`certificate as well as for performing the mutual authentica-
`tion 30, the chip card 10 comprises suitable authentication,
`decryption and certificate examining means which are con-
`stituted by part of the hardware and by codes stored in a
`non-volatile memory of the chip card, such as e.g.
`the
`authentication code. The cryptographic algorithms underly-
`ing said mutual authentication 30 and said encryption and
`certification 40 may comprise symmetric or asymmetric
`cryptographic processes, such as e.g. the RSA or the DES
`algorithm or an arbitrary other cryptographic algorithm.
`
`In case the certificate examination reveals that the
`[0033]
`certificate lacks genuineness; the communication between
`terminal 20 and chip card 10 is interrupted, and there may
`be provisions made that the chip card 10 does not longer
`carry out processings for a predetermined period of time. It
`is thus avoided that a potential attacker taps the communi-
`cation connection between terminal 20 and chip card 10 and
`enters a “false” code to the volatile memory of the chip card
`10 which, upon performing by the chip card 10, could effect
`the outputting of secret data stored on chip card 10, for
`example.
`
`Ifthe certificate examination revealed the genuine-
`[0034]
`ness of the certificate, the transferred part of the algorithm
`codeis thenstored, in a step 50, in a volatile memory of chip
`card 10 either in encrypted or in decrypted form. Depending
`
`on encrypted or decrypted storage, the algorithm code is
`decrypted before storage thereof or before performing by a
`cryptographic processor on chip card 10. The algorithm code
`having a part thereof transferred in step 40 may comprise the
`program code of one or a plurality of functions of crucial
`security of the chip card 10, such as e.g. a debiting or
`crediting function for charging or discharging the chip card
`10, or the program code for performing a cryptographic
`algorithm necessary during the further communication
`sequence, such as e.g. a symmetric or asymmetric crypto-
`graphic process, an RSA algorithm, encryption according to
`the DESstandard,an elliptic curve process or another secret
`algorithm, however without restriction to these examples. In
`the event of a pay TV application,
`the algorithm code
`comprises, for example, information with respect to decryp-
`tion of the television data of a chargeable program, such as
`e.g. the repermutation of the image lines of an image of the
`television data. Consequently,
`the algorithm code to be
`protected is present in complete form on chip card 10 only
`during the time of execution of the communication between
`terminal 20 and chip card 10.
`
`Ina step 60, the algorithm code now contained in
`[0035]
`complete form on chip card 10 is utilized and performed by
`a processor provided on the chip card 10. In the afore-
`mentioned pay TV example, the processor of chip card 10
`performs, for example, the repermutation of the image lines
`of the television images by wayof the algorithm codestored.
`In a debit application of the chip card 10, such as e.g. with
`telephone cards, the algorithm code indicating a debiting or
`crediting function is used for example for crediting or
`debiting a balance provided on the chip card 10. With credit
`card applications, step 60 comprises for example the per-
`forming of the algorithm code indicating a cryptographic
`algorithm by means of a cryptographic processor of chip
`card 10 in order to place moneytransfer orders, for example.
`
`Ina step 70, the part of the algorithm code stored
`[0036]
`in the volatile memory is cleared again. Clearing of the
`algorithm code may beeffected, for example, by taking out
`the chip card 10 from terminal 10 by the card user and by
`thus interrupting the delivery of supply energy from terminal
`20 to chip card 10. For preventing attempts of potential
`attackers to protect the volatile memory, e.g. a RAM,against
`loss of the stored part of the algorithm code, whereby these
`would comeinto possession of the complete algorithm code,
`the chip card 10 may have a specific monitoring means
`provided thereon whicheffects active clearing of the volatile
`memoryof the chip card 10 also if a monitoring operation
`reveals that specific security conditions are fulfilled, such as
`interruption of the system clock,
`the interruption of the
`delivery of supply energy or other indications for a possible
`attack, such as voltage fluctuationsor the like. Consequently,
`the algorithm code, after utilization of the chip card 10 in the
`terminal 20 or
`interference with the communication
`
`sequence, is no longer present on chip card 10 and thus is no
`longer exposedeither to potential attacks and spying out by
`potential attackers. An attacker in possession of the chip card
`cannot carry out security computations on the basis of the
`complete algorithm codesince the latter is not completely in
`the range of access of the attacker. The spying out of keys
`or algorithmsis thus effectively prevented.
`
`[0037] After the sequence of operations during commu-
`nication of a chip card with a terminal has been described
`with reference to FIG. 1, various possibilities will be
`8
`
`8
`
`

`

`US 2004/0083380 Al
`
`Apr. 29, 2004
`
`described first hereinafter as to which parts of an algorithm
`code are transferred from the terminal
`to the volatile
`
`memoryofthe chip card. In the event that the algorithm code
`contains the program code of a secret, not yet known
`cryptographic algorithm,
`it may be advantageous
`for
`example to completely transfer the algorithm code from the
`terminal to the volatile memory of the chip card, whereby
`this secret cryptographic algorithm would be effectively
`protected against spying out by a potential attacker.
`
`In the event that the part transmitted or transferred
`[0038]
`of the algorithm code contains part of a program code of a
`known cryptographic algorithm, the transferred part of the
`program code comprises, for example, memory addresses in
`which the computation components underlying the crypto-
`logic computation are stored, thereby effectively preventing
`that a potential attacker in possession of the chip card can
`perform the security computations based on this crypto-
`graphic algorithm, since the required memory addresses for
`performing the program code and for performing the
`memory accessing operations by the processor of the chip
`card, which are necessary therefor, are missing.
`
`In the event of a known cryptographic algorithm,
`[0039]
`the transferred part of the algorithm code may contain jump
`addresses pointing either as a start address to the beginning
`of a specific program codeor as conditional or unconditional
`program jumpsto the beginnings of specific partial routines.
`Without knowing these jump addresses, it is rendered very
`difficult for an attacker to spy out the chip card in his
`possession.
`
`Ina specific example, a plurality of program codes
`[0040]
`for various cryptographic algorithms may be provided on the
`chip card 10, with the transferred part of the algorithm code
`containing a start address of a specific one of the various
`cryptographic algorithm program codes that has just been
`selected by the terminal. The terminalselects, for example,
`for each new chip card terminal communication operation a
`new cryptographic algorithm from the p