 |
Description  |
|
|
This invention relates to methods of storing data and to data storage
systems.
A first known series of systems comprises at least one portable device
including a memory containing stored data and at least one transfer device
constituted generally by a peripheral unit connected to a central computer
comprising means whereby data may be transferred between the memory in the
portable device and the central computer.
The person carrying the portable device introduces this latter into the
peripheral unit and temporarily couples it with the central computer. The
data contained in the memory of the portable device are transferred to the
central computer which processes and analyses them. The data thus
processed generally serves subsequently to control various mechanisms.
Thus, for example, it is possible by means of such a system to control the
opening of a door or the issue of bank-notes: the portable device plays
the part of an electronic key, allowing the person who possesses it to
make himself known by means of the data contained in the portable device
and to control the operation of the associated mechanisms.
Such a system has been used in particular for the dispensing of bank notes
by means of credit cards. Such systems suffer from major disadvantages
which arise from the fact that the memory in the portable device is
constituted by a magnetic track; these inconveniences are as follows:
The contents of the memory may be erased by heat or by a magnetic field,
Its storage capacity is relatively small; as a result the identification
data are limited in number;
The contents of the memory may be readily reproduced on other devices, this
is particularly awkward in the case of theft or fraud,
The contents of the memory may be modified with the aid of relatively
simple equipment (a plastics lens and a magnetized needle);
As in all systems using recording on magnetic tapes, it is necessary to
place the device to be placed close to the magnetic reading head; in
addition, the process is electro-mechanical, that is to say, the magnetic
track must be displaced with respect to the reading head in order to
develop a signal.
To overcome these difficulties it has been proposed to make use of
integrated-circuit inert memories, of the semiconductor type or making use
of fusible links; in particular a portable device including a particular
embodiment of this type of memory has been described in U.S. Pat. No.
3,702,464.
In addition -- and whatever the construction of the memory; -- magnetic or
semi-conductor -- the known systems present another major difficulty which
arises from the fact that these systems are not devised to prevent,
temporarily or permanently, certain data contained in the memory (or
capable of being contained in the memory) from being read by the transfer
device and extracted from the memory. Similarly, they are not arranged,
temporarily or permanently, to prevent certain data transferred into the
memory (or into certain zones of the memory) from being altered by new
data being entered.
In practice, in many applications, it is necessary to reserve certain
strictly defined sections in the memory and to prohibit their contents
from being modified or read, temporarily if not permanently; these
predetermined sections may be:
empty of all information; this is specifically the case when, for example,
the portable device comprises also associated processing and writing means
arranged to enter into the memory data resulting from the processing; in
this case it is necessary in practice to retain portions of the memory
empty of all information and to prohibit the entry therein of all entries
originating externally of the portable device.
or may contain preset information which it is desired to preserve without
it being possible for it to be modified or read.
It is particularly essential (as will be seen) to solve such a problem when
the memory system is used to deal with bank accounting.
A second series of systems for data storage is known which comprises:
at least one portable device comprising a memory arranged to store data.
at least one transfer device constituted generally by a peripheral unit
connected to a central computer comprising means for transferring data
between the central computer and the memory in the portable device (and
possible reciprocally).
By the use of such a system it is possible to store data originating in a
central computer in a readily transportable form and to carry them to some
other location.
Such a system has been described, for example, in French Pat. No. F.
7007187. The portable device described in this patent comprises a magnetic
memory; as a result of which it presents the same inconveniences which
have just been described and which are due to the magnetic construction of
the memory.
To a certain extent, U.S. Pat. No. 3,702,464 suggests the use as a memory
of an integrated circuit inert memory using semiconductor devices, of a
special type, and the transfer of data into such a memory. However, it
does not point out the means for effecting this transfer and does not set
out in detail the manner of the transfer.
Furthermore, and whatever the construction of the memory, magnetic or
semiconductor; the known systems present another major inconvenience which
arises from the fact that the systems are not devised to transfer and
store (in as small a volume as possible) data originating at
geographically distinct locations in random order. In other words, the
known systems are not devised to enter each new set of data into a
distinct section of the memory -- while utilising to the maximum the whole
of the available sections of the memory -- and to inhibit any modification
of the contents of the sections already written.
This inconvenience is serious; in practice, in a good number of
applications, especially in applications to banking (as will be seen), it
is essential to use the useful capacity of the memory to the full, without
being able to alter the contents of already programmed sections. Now,
specifically, in the case of such banking application, an individual
portable device cooperates with a multitude of transfer devices without
any connection between them, so that a given transfer device is
necessarily ignorant of the addresses of the sections empty of all
entries, and particularly of that empty section adjacent to the last
section in which an entry was made. It is therefore essential to solve
this problem.
The present invention relates more especially to data storage and transfer
systems of the kind described above (those of the first and also those of
the second series) and has the object of overcoming the difficulties which
they present.
The object of the present invention is as follows: to provide a system
permitting the transfer of data between a transfer device and a portable
device comprising a memory and/or, reciprocally, to transfer data between
a memory contained in a portable device and a transfer device. In
addition, the transfer should be effected in accordance with the two
following supplementary characteristics, taken separately or in
combination:
1. The system should be capable of effecting the transfer in an erratic and
discontinuous manner, that is to say, in such a manner that:
a single portable device may be associated at different times and in any
order with several different transfer devices,
several portable devices may be associated at different times and in any
order with the same transfer device.
The problem to be solved is as follows: a system must be devised such that
erratic entry of new data into the memory of the portable device does not
modify the data already entered (of which it is not generally possible to
know the existence) and takes place automatically in empty portions of the
memory.
2. The system should permit transfer to be effected in such a manner that:
certain data contained in the memory (or capable of being contained in the
memory) cannot be temporarily or finally read by the transfer device and
extracted from the memory.
certain data transferred into the memory cannot be temporarily or
permanently modified.
The problem to be solved is as follows: it is necessary to devise a system
such that certain data cannot be re-read and/or entered and or re-entered
into the memory, temporarily or permanently.
More generally, it may be said, combining the two supplementary
characteristics into a single formula, that the object of the present
invention is, in addition, to effect the data transfer in such a manner
that the contents of certain predetermined sections of the memory shall be
inaccessible for reading or writing from outside the device, either
temporarily or permanently.
Thus it is an object of the invention to provide a system capable of
presenting, in addition to the functional characteristics set out above
the advantage of being as little susceptible to mis-use as possible; that
is to say, to provide a system such that it is difficult to modify the
contents of the memory of the portable device irregularly in favour of the
user. It would be utopian to claim that a system is entirely safe against
fraud or is incapable of being overcome; on the other hand it is
reasonable to maintain that, among several systems, some are less subject
to fraud than others owing to the technical difficulties which must be
overcome by the fraudulent to produce a modification in their favour.
It is stressed that none of the known systems described above attains the
object of the invention, in particular, the two supplementary objects set
out as points 1) and 2). The present invention has for the first time
proposed and solved a problem of which the importance in practice is very
considerable, as will be seen.
In order to attain its object, a system in accordance with the invention
comprises:
at leasst one independent protable electronic device,
at least one transfer device.
In accordance with the invention the portable device includes:
at least one memory arranged to store data in a readily transportable form,
externally accessible coupling means allowing the portable device to be
temporarily coupled with the transfer device,
memory control circuits interconnected between the coupling means and the
memory, permitting access to the memory and allowing the circulation of
data into and out of the memory.
Preferably the memory and the control circuits are constructed in the form
of logic microcircuits; preferably likewise the portable device does not
require a power supply and the memory is an inert memory. More
particularly again, the inert memory is of the semi-conductor type; this
semiconductor inert memory may be reprogrammable (that is, erasable) or
write-only (that is, non-erasable). Finally, this memory is, for
preference, incorporated in an inaccessible manner in the interior of the
portable device.
These particular constructions and arrangement of the memory contribute in
an essential manner to making the system of the invention highly resistant
to fraud.
The transfer device comprises:
coupling means complementary to those of the portable device,
transfer means connected to the coupling means, these transfer means being
arranged to introduce data into or extract data from the memory; these
transfer means are composed more particularly of writing means and/or
reading means.
According to the principal characteristic of the present invention, the
system is characterized by the fact that it includes, in addition,
transfer inhibiting means (that is, means operable to inhibit the reading
and/or writing means), prohibiting the reading of and/or any modification
of the data stored in predetermined sections of the memory.
Thanks to these inhibiting means, the said predetermined sections of the
memory in the portable device remain in that state in which they were at
the instant at which the inhibiting means was actuated, and during the
whole time in which these means are active; it is no longer possible to
read their contents.
The inhibiting means may be arranged either in the transfer device or in
the portable device; preferably, however, so as to make the system as
little susceptible to fraud as possible, the inhibiting means are
interconnected with the memory control means and are situated in the
portable device; preferably they are incorporated in this latter in as
inaccessible manner as possible.
The manner of realisation of the system according to the invention, more
particularly devised so that the writing of new data into the memory of
the portable device shall not alter the contents of the data already
entered and will take place automatically in the empty portions of the
memory, is characterized by the fact that:
the transfer means comprises means for writing data into the memory of the
portable device,
the memory of the portable device, in cooperation with the control
circuits, is organised in a plurality of distinct sections, each arranged
to receive one word,
the means inhibiting the writing means, preferably situated in the portable
device, consists of a means detecting unprogrammed sections of the memory:
prohibiting the activation of the writing means in the case where the
section considered is already programmed,
allowing the actuation of the writing means in the case where the section
considered is not programmed, so as to write a new dats into that section.
In addition, the detector is devised to memorise the writing command for
the duration of a complete writing cycle.
Thanks to this detector new data cannot be written into an already
programmed section of the memory, whatever may be the means brought into
use; in addition, all new data is automatically written into a
non-programmed section of the memory.
Preferably the non-programmed section detector is placed in the portable
device and interconnected with the memory control means. Thanks to this
arrangement, the fraudulent modification of the contents of the programmed
memory sections is not possible, since the would-be fraudulent operator
has no possibility of access to the detector so as to remove its
influence, without risking the destruction of the memory and of its
control circuits.
Preferably the non-programmed memory section detector comprises:
a first gate receiving in parallel the contents of the relevant section of
the memory (for example, and AND gate when the unwritten bits correspond
to the logic level 1),
a second gate for allowing a write operation, enabled by the first gate in
the case where the relevant memory section does not contain any data and
enabling the energization of the writing means,
a memory circuit interposed between the first and second gates and arranged
to store the active state of the first gate (at least during one writing
cycle).
The memory circuit has the function of maintaining the enabling of the
writing function despite the fact that the first bit written-in affects
the state of the respective section. In addition, the non-programmed
memory section detector preferably includes an inhibiting circuit
interposed in the memory addressing circuit, actuated by the first gate
through the intermediary of the memory circuit; this inhibiting circuit is
arranged to prevent the addressing of the non-programmed section of the
memory during the whole of the writing cycle.
Owing to this arrangement, a fraudulent operator is unable to address the
memory as he wishes, for example, at a page already written, during the
writing cycle; in addition, this arrangement permits inhibition of
addressing during wiriting, which is desirable in order to avoid errors of
electronic origin.
The manner of carrying out a system in accordance with the invention, more
particularly devised so that certain data contained in the memory (or
susceptible of being contained in the memory) cannot be read and/or
written and/or re-written, temporarily or permanently, is characterized by
the fact that:
the transfer-inhibiting means (means inhibiting reading and/or writing)
include:
means for coding the predetermined inhibitied sections,
means for detecting the coded inhibited sections,
inhibiting the actuation of the transfer means in the case where the
relevant section carries an inhibit code,
enabling the actuation of the transfer means in the case where the relevant
section does not carry an inhibit code.
Such a combination makes it possible:
to inhibit reading or writing, before or after writing, in such a section
or sections of the memory of the portable device,
to inhibit reading or writing, temporarily or permanently, in such a
section or sections of the memory;
following upon the moment when the coding and detector means are set in
action (before or after writing) and the time during which they remain
active.
With a view to solving particular problems posed by applications of this
system in banking, and in particular to frustrate attempts at fraud, it is
preferred, in accordance with an optional characteristic of the present
invention, the coding and detector means are incorporated within the
interior of the portable device, in a manner such that they are
inaccessible from outside the device.
Owing to this arrangement it is impossible, whatever the means adopted by a
would-be fraudulent operator, to obtain access to the memory and to modify
or read its contents.
The means for coding and detecting predetermined prohibited sections may be
of different natures. In the case where the memory is organised in words
of n bits and comprises input/output circuits (for writing and reading)
composed of n conductors, the coding means may consist of one of the bits
of the word.
The detector means, connected to the conductor of the input/output circuit
corresponding to the code bit, may in particular be composed of a
write-enable gate (an AND gate in the case where the bit is coded 0 to
denote a prohibited section) prohibiting all writing in the case where the
relevant section is prohibited. Preferably and in accordance with an
optional feature of the invention, the code is the nth bit of the word,
the useful part of the word consisting of n - 1 bits. Owing to this
arrangement the coding of the nth bit inhibits writing only after this has
been effected on the n - 1 usful bits of the word. It is clear that such
an arrangement solves the particular problem posed by the banking
application considered. In practice, provided that the number of the bank
account or the identification number has been written into the portable
device and that the nth bit has been altered (set to the 0 state), it is
no longer possible to change the entry.
The coding and detecting means for predetermined sections may be arranged
in another manner. Thus the coding means may be composed of diode
matrices, of inert memories, or simply of connecting points, while the
detecting means may comprise at least one address comparator
interconnected between the memory addressing circuit and the coding means;
this address comparator inhibiting a writing-enable gate in the case where
the address considered is an address coded as prohibited.
Preferably, and with the object of solving the particular problem arising
from banking applications, the coding means is programmed in an
irreversible manner during the construction of the portable device (credit
card) and before being incorporated into this latter, so that it is no
longer possible to recode it differently without destroying the card; the
addresses of the prohibited sections are thus determined once and for all.
In this case, in order to permit the entry into the prohibited sections of
confidential and personal data (such as the number of the bank account or
the identification data) by the organisations responsible for so doing
(the bank, etc)., there is further provided in the portable device a
special means, at the disposal of this organisation, arranged to
deactivate the means inhibiting writing. This special means comprises
another gate interposed between the address comparator and the gate
enabling writing; this other gate may be permanently held conductive by
irreversible modification of an actuating circuit. The organization
responsible for establishing the confidential data is then able, owing to
this special means, to put out of action the writing inhibiting means
before the entry of the confidential data and to activate the writing
means (the coding and detector means) after the entry of the confidential
data.
The data storage system in accordance with the invention, having the stated
characteristics, is suitable for a large number of practical applications;
the following applications may be especially mentioned:
keeping a bank account,
issue of bank-notes,
keeping a medical record,
For instance, in the case of controlling a bank account, the client keeps
possession of a portable device (in the form of a credit card, for
example) containing a memory storing the following information:
the personal entitlement code,
the number of the bank account,
the name of the client,
the serial number of the card,
a list (with or without dates) of the various debit operations,
a list (with or without dates) of the various credit operations.
The trader is provided with a transfer device in the form of a cash
register, permitting him to read the contents of the card and to write
into it new data, particularly the date and the amount of the purchase
effected.
The account is kept in the following manner:
A transfer device, installed at the point of sale, examines the credit
available shown in the client's card by comparing the sum of the debits
with the sum of the credits; this transfer device then compares this
available credit with the amount of the intended purchase, if this is
sufficient, the transfer device modifies the memory in the client's card
by writing into it the amount of the purchase effected.
Afterwards, the transfer device enters in a local electronic store the
number of the client's bank account and also the amount of the expenditure
icurred.
The trader then puts the operation in order with his own bank,
communicating to this latter the bank coordinates of his clients and the
amounts of their purchases recorded by the transfer device; the bank will
debit the banker accounts of the various clients with the amounts of their
purchases and will credit the account of the trader with these amounts.
It is therefore essential for keeping a bank account to have available a
system:
preventing any modification (accidential or fraudulent) of the contents of
the memory, especially of the permenent sections in which there are stored
the banking coordinates of the client and his personal entitlement code,
detecting the already written sections of the memory so as not to modify
their contents,
detecting unwritten sections of the memory so as to write all new data
therein.
The system of the present invention is therefore particularly well adapted
for such a banking application, particularly because it is difficult to
effect any fraud.
Non-limiting examples of certain embodiments of a data storage and transfer
system in accordance with the invention will now be described with
reference to the drawings, in which:
FIG. 1 is a schematic representation of the application of a system
according to the invention to the issue of bank-notes;
FIG. 2 is a schematic diagram of a detail of the arrangement of FIG. 1,
explanatory of the operation of the integrated memory circuit of the
portable device;
FIG. 3 is a schematic diagram of an add/subtract unit which is one of the
elements illustrated in FIG. 1;
FIG. 4 is a diagram illustrating a first form of inhibitor means preventing
any modification of the sections of the portable memory already
programmed;
FIG. 5 is a modified embodiment of inhibiting means for an already written
section;
FIG. 6 shows a detail of a single channel inhibiting gate;
FIG. 7 is a synoptic chart showing the organisation of a transfer device
capable of cooperating with a portable device comprising inhibiting means
such as those described with reference to FIG. 5;
FIG. 8 is a detail of the addressing circuits of the device shown in FIG.
7;
FIG. 9 shows a memory module organised in mn words of 1 bit, by means of a
primary memory organized in m words of n bits;
FIG. 10 is a symbolic representation of the memory module described with
reference to FIG. 9;
FIG. 11 shows a form of construction of the clock circuit for the memory
module described with reference to FIG. 9;
FIG. 12 shows a form of construction of the inhibing means for the case
where the memory is organised in mn words of 1 bit;
FIG. 13 shows another form of construction of the inhibitor means for the
case where the memory module is of the kind described with reference to
FIG. 9;
FIG. 14 shows a form of construction of the inhibitor means prohibiting the
modification of what is written in sections coded as prohibited;
FIG. 15 shows a form of construction of the inhibitor means differing from
the described with reference to FIG. 14;
FIG. 16 shows a form of construction of an activating circuit arranged
permanently to activate the inhibitor means;
FIG. 17 shows a form of construction of the inhibitor means for the case
where the memory is adressed by means of a computer;
FIG. 18 shows a form of construction of the inhibitor means permitting the
prohibition of the memory addresses between a lower limit X and an upper
limit Y;
FIG. 19 shows a form of construction of the inhibitor means intended more
particularly to prohibit the reading of certain sections of the memory.
The description which is about to follow requires the following general
remarks:
All the forms of construction described below, of memory systems in
accordance with the invention, are more particularly intended for banking
and accountancy applications; as a result, and in order to facilitate
reading, the manner of operation and the effects of the various devices
has been for the most part described using terminology appropriate to
banks and to the keeping of a bank account. The various embodiments may
however have quite different applications and may be used in all cases
where it is necessary to store data, particularly in a confidential and
irreversible manner.
The electronic circuits of all the embodiments herein below described are,
because of their application in banking, incorporated in an inaccessible
manner in a portable device, advantageously in the form of a flat
rectangular card. There are incorporated in it in an inaccessible manner,
that is to say that it is not possible to obtain access to the electronic
circuits without destroying them; this result may be obtained in
particular by constructing them in the form of logical micro-structures
(integrated circuits) and by incapsulating them in an opaque plastics
resin, but other mechanical solutions can be envisaged. In the figures
relating to the portable device (the card), there has been indicated by a
broken line the boundaries of those parts of the circuits which are
electrically or optically inaccessible from the exterior.
Only the coupling means allow access, either electrical or optical, to
electronic components contained in the interior of the card.
It should be noted, however, that for other applications not requirinng
intensive protection against attempts at fraudulent interference with the
contents of the card, some -- if not the whole -- of the elements
comprising the inhibitor means may be situated on the exterior of the
card, particularly in the portable device. Similarly, for other
applications, the precautions taken to incorporate the circuit in an
inaccessible manner in the card are unnecessary.
In addition, in order to simplify so far as possible the description of the
electronic circuits, the supply circuits, etc, have not been represented
and only the functionally essential circuits are shown. However, care has
been taken to indicate, as regards the coupling means, by references such
as VP, VG, earth (which designate respectively the source of writing
voltage, the general supply source for the logic circuits and the nought
volt line), the feed connections which it is necessary to establish
between the card and the particular exterior arrangements.
Finally, it should be noted that the inert integrated-circuit memories
employed in these embodiments may be of different kinds; particularly
either of the programmable or of the re-programmable type. Such memory
devices do not require any energy to store the information. On the
contrary, the writing of information generally requires a substantial
amount of energy (several watts instantaneously); in consequence, the
constructors guarantee an extremely long storage time, of the order of
several tens of years in the case of re-programmable memories. The
following references to the type of memory may be given:
Intel 1702 and National Semiconductor 5203; These memories are erasible by
exposure to a source of ultra violet radiation or of x-rays;
Harris 7620, Monolific Memories 6340, Texas Instruments 74 S 387, Intersil
5604; These latter non-erasible (destructible) memories are of the fusible
or junction-break down type.
Memories with capacities of 4096 bits are currently fabricated by certain
makers, particularly in the field of MOS (erasible) memories. Modern
processes for the inter-connection of integrated circuit chips thus allow
the construction at low cost of a block memory of 16 kilobits or 32
kilobits (4 or 8 chips) in an area of some tens of square millimetres,
adding to these the special circuits which are the object of the present
invention the block may be included in a card having the dimensions of 2
.times. 60 .times. 80 mm.
These inert intergrated -- circuit memories of the semi-conductor type
present very appreciable advantages, as compared with other inert memories
such as magnetic cassettes, flexible discs, etc. In fact they are more
reliable, their dimensions are less, they do not require mechanical
movement for reading and writing, they are insensitive to magnetic fields,
they are difficult to counterfeit and to interfere with (an intending
fraudulent operator must make use of complex electronic means to modify
the state of an inert semiconductor memory). As a result, these inert
semicondutor memories are particularly well adapted to be used, in
preference to others, in memory systems in accordance with the invention;
in particular in applications of these systems in banking. The various
forms of construction of the memory system in accordance with the
invention are all essentially distinguished by the structure of the
portable device; in order not to repeat the description of the transfer
arrangement associated with the portable device several times (with
reference to each modified embodiment) only two examples of this are
described. A detailed description is given with reference to FIGS. 1 and 3
and a general synoptic description with reference to FIGS. 7 and 8.
It will be clear, however, to those skilled in the art that each of the
portable devices which are illustrated in the drawings may be associated
with a transfer device presenting all or part of the characteristics of
the transfer arrangements described.
The system in accordance with the invention which is shown in FIG. 1
comprises two distinct parts which, in operation, are connected by an
interface symbolised by chain line. The two parts of the device are as
follows:
To the left of the chain line: a portable device not requiring a power
| | |
