WikiPatents - Community Patent Review
Create Free Account  |  License or Sell Your Patent  |  WikiPatents Marketplace  |  WikiPatents Blog
Username:  Password:  
    
Advanced Search
Secured method for loading a plurality of applications into a microprocessor memory card    
United States Patent5473690   
Link to this pagehttp://www.wikipatents.com/5473690.html
Inventor(s)Grimonprez; Georges (Villeneuve d'Asq, FR); Paradinas; Pierre (Villeneuve d'Asq, FR)
AbstractA method for loading and managing a plurality of applications in a memory of a chip card, the method including: recording a chart of applications in the memory of the chip card which associates a password and a memory space with a name for i) each of the plurality of applications and ii) at least one user application on that application; recording a chart of data tables in the memory of the chip card, the chart of data tables including a plurality of records, each of the plurality of records associating a name for each of the plurality of applications with a name for at least one data table of that application; recording a chart of rights in the memory of the chip card, the chart of rights associating for each of the plurality of applications, the name for the at least one data table thereof with i) the name for each of the plurality of applications, and user applications thereof, that are capable of using the at least one data table thereof and ii) a set of rights granted to the plurality of applications, and user applications thereof, which are capable of using the at least one data table thereof; and giving permission for management of data elements contained in a table of data as a function of a set of rights granted to a particular one of the plurality of applications, and user applications thereof, that will be in progress when the table of data will be used.
   














 Title Information Submit all comments and votes
 
Patent Text Patent PDF Print Page Summary File History
Plain text PDF images Print Summary File History
Drawing from US Patent 5473690
Secured method for loading a plurality of applications into a microprocessor memory card - US Patent 5473690 Drawing
Secured method for loading a plurality of applications into a microprocessor memory card
Inventor     Grimonprez; Georges (Villeneuve d'Asq, FR); Paradinas; Pierre (Villeneuve d'Asq, FR)
Owner/Assignee     Gemplus Card International (Gemenos, FR)
Patent assignment
All assignments
Publication Date     December 5, 1995
Application Number     08/090,039
PAIR File History     Application Data   Transaction History
Image File Wrapper   Patent Term   Fees
Litigation
Filing Date     October 25, 1993
US Classification     705/66 235/380 705/65 705/73 902/2
Int'l Classification     H04L 009/32 G07F 007/10
Examiner     Barron Jr ; Gilberto
Assistant Examiner    
Attorney/Law Firm     Nilles & Nilles
Address
Parent Case    
Priority Data     Jan 18, 1991[FR]91 00560
USPTO Field of Search     380/24 235/380 902/2
Patent Tags     secured loading plurality applications into a microprocessor memory card
   
Enter a comma (,) or semicolon (;) between multiple tag words/phrases.
Describe this patent:
 Amusing   
 Clever   
 Complex   
 Efficient   
 Historic   
 Important   
 Innovative   
 Interesting   
 Practical   
 Simple   
[no votes]
Patent WIKI

Share information and news about this patent, including information and news about the technology, inventors, company, ligation and licensing.
 References Submit all comments and votes
 
*references marked with an asterisk below are user-added references
 U.S. References
 
Add a new US reference:  
ReferenceRelevancyCommentsReferenceRelevancyComments
5161256
Iijima

Nov,1992
[0 after 0 votes]		4985615
Iijima
235/492
Jan,1991
[0 after 0 votes]
4928001
Masada
235/380
May,1990
[0 after 0 votes]		4849614
Watanabe
235/379
Jul,1989
[0 after 0 votes]
4829169
Watanabe
235/492
May,1989
[0 after 0 votes]
 Foreign References
 Other References
 Market Review Submit all comments and votes
   
Market Size
Estimate the gross annual revenues of the relevant market sector:
> $10B
$5B - $10B
$2B - $5B
$500M - $2B
$100M - $500M
$10M - $100M
$1M - $10M
$500K - $1M
$100K - $500K
< $100K
[No votes]
$0
 
$0   $2.5B   $5B   $7.5B   $10B
Market Share
Estimate the percentage of the relevant market sector this invention will capture:
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Reasonable Royalty
What percentage of gross sales should the inventor or assignee be paid?
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Public's "Guesstimation" of Royalty Value
Market SizeN/A[No votes]
xMarket ShareN/A[No votes]
xReasonable RoyaltyN/A[No votes]
N/A
License Availablity
If you are NOT the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
License Availablity
If you ARE the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
Competitive Advantage
Does this invention have a significant competitive advantage over similar technologies?
Yes

No



 [No votes]
Most helpful competitive advantage comment
[No comments]
Commercial Alternatives
Are there viable commercial alternatives for this invention?
Yes

No



 [No votes]
Most helpful commercial alternative comment
[No comments]
 Technical Review Submit all comments and votes
 Claims Submit all comments and votes
 


What is claimed is:

1. A method for loading and managing a plurality of applications in a memory of a chip card, each of said plurality of applications being capable of a) including at least one user application, b) including at least one data table, c) granting at least one of a plurality of rights, to at least one of a remainder of said plurality of applications, for carrying out at least one of a plurality of commands on said at least one data table and d) granting at least one of said plurality of rights, to said at least one user application, for carrying out at least one of said plurality of commands on said at least one data table,

said at least one user application not being capable of including further user applications, said at least one user application not being capable of including any data tables, said at least one user application not being capable of granting any of said plurality of rights, to any of i) said plurality of applications and ii) user applications thereof, said method comprising:

recording a chart of applications in the memory of the chip card which associates a password and a memory space with a name for i) each of said plurality of applications and ii) said at least one user application thereof;

recording a chart of data tables in the memory of the chip card, said chart of data tables including a plurality of records, each of said plurality of records associating said name for each of said plurality of applications with a name for said at least one data table thereof;

recording a chart of rights in the memory of the chip card, said chart of rights associating for each of said plurality of applications, said name for said at least one data table thereof with i) said name for each of said plurality of applications, and user applications thereof, that are capable of using said at least one data table thereof and ii) a set of rights granted to said plurality of applications, and user applications thereof, which are capable of using said at least one data table thereof; and

giving permission for management of data elements contained in a table of data as a function of a set of rights granted to a particular one of said plurality of applications, and user applications thereof, that will be in progress when said table of data will be used.

2. The method according to claim 1, further comprising:

recording a data table name in said chart of data tables if I) there is a successful presenting of a secret code associated with an application name and II) a memory allocation for this application permits the recording of the data table name;

recording rights for said data table name in said chart of rights if there is a successful presenting of said secrete code associated with said application name for which this table name has been recorded; and

managing data elements contained in a table of data corresponding to said data table name as a function of i) an application in progress and ii) rights granted to said application in progress pertaining to said table of data.

3. The method according to claim 1, wherein said plurality of applications, and user applications thereof, are recorded in said chart of data tables.

4. The method according to claim 1, further comprising recording a table of a plurality of enciphering keys in the memory of the chip card, each of said plurality of enciphering keys being associated with one of said plurality of applications so as to permit transfer of data elements contained in a data table associated with one of said plurality of applications in an enciphered form that is a function of an enciphering algorithm parameterized by a key associated with said one of said plurality of applications.

5. The method according to claim 1, wherein said chart of applications includes, for each of said plurality of applications, a maximum number of tests of transactions with said chip card.

6. The method according to claim 1, wherein said chart of data tables includes, as a description for each of a plurality of data tables, at least one element selected from the group consisting of:

a name for that data table,

a name for an application that is associated with that data table,

a number of columns for that data table,

a type of that data table,

an addresses, in said memory of said chip card, of data elements pertaining to that data table,

an address of a start of a description of a following table, and

for each column of that data table, a type of that column, a length of that column and a name for that column.

7. The method according to claim 1, wherein said chart of data tables includes, for each of a plurality of data tables, one member selected from the group consisting of an application name and a column name, preceded by a number representing a number of characters of this name.

8. The method according to claim 1, wherein said chart of data tables includes a data table that is created by automatically assigning to said data table an information element representing a name for an application for which a secret code has been successfully presented.

9. The method according to claim 1, wherein said chart of rights includes a description, for each of a plurality of records of said chart of rights, at least one element selected from the group consisting of:

a name for a table,

a name for an application that has obtained rights,

a name for a user application that has obtained rights, and

a list of rights obtained.

10. The method according to claim 1, wherein said at least one data table includes a plurality of columns pertaining to said at least one data table.

11. A method for loading a plurality of applications in a memory of a chip card, each of said plurality of applications being capable of a) including at least one user application, b) including at least one data table, c) granting at least one of a plurality of rights, to at least one of a remainder of said plurality of applications, for carrying out at least one of a plurality of commands on said at least one data table and d) granting at least one of said plurality of rights, to said at least one user application, for carrying out at least one of said plurality of commands on said at least one data table,

said at least one user application not being capable of including further user applications, said at least one user application not being capable of including any data tables, said at least one user application not being capable of granting any of said plurality of rights, to any of i) said plurality of applications and ii) user applications thereof, said method comprising:

recording a chart of applications in the memory of the chip card which associates a password and a memory space with a name for i) each of said plurality of applications and ii) said at least one user application thereof;

recording a chart of data tables in the memory of the chip card, said chart of data tables including a plurality of records, each of said plurality of records associating said name for each of said plurality of applications with a name for said at least one data table thereof; and

recording a chart of rights in the memory of the chip card, said chart of rights associating for each of said plurality of applications, said name for said at least one data table thereof with i) said name for each of said plurality of applications, and user applications thereof, that are capable of using said at least one data table thereof and ii) a set of rights granted to said plurality of applications, and user applications thereof, which are capable of using said at least one data table thereof.

12. The method according to claim 11, further comprising:

recording a data table name in said chart of data tables if I) there is a successful presenting of a secret code associated with an application name and II) a memory allocation for this application permits the recording of the data table name; and

recording rights for said data table name in said chart of rights if there is a successful presenting of said secrete code associated with said application name for which this table name has been recorded.

13. The method according to claim 11; wherein said plurality of applications, and user applications thereof, are recorded in said chart of data tables.

14. The method according to claim 11, further comprising recording a table of a plurality of enciphering keys in the memory of the chip card, each of said plurality of enciphering keys being associated with one of said plurality of applications so as to permit transfer of data elements contained in a data table associated with one of said plurality of applications in an enciphered form that is a function of an enciphering algorithm parameterized by a key associated with said one of said plurality of applications.

15. The method according to claim 11, wherein said chart of applications includes, for each of said plurality of applications, a maximum number of tests of transactions with said chip card.

16. The method according to claim 11, wherein said chart of data tables includes, as a description for each of a plurality of data tables, at least one element selected from the group consisting of:

a name for that data table,

a name for an application that is associated with that data table,

a number of columns for that data table,

a type of that data table,

an addresses, in said memory of said chip card, of data elements pertaining to that data table,

an address of a start of a description of a following table, and

for each column of that data table, a type of that column, a length of that column and a name for that column.

17. The method according to claim 11, wherein said chart of data tables includes, for each of a plurality of data tables, one member selected from the group consisting of an application name and a column name, preceded by a number representing a number of characters of this name.

18. The method according to claim 11, wherein said chart of rights includes a description, for each of a plurality of records of said chart of rights, at least one element selected from the group consisting of:

a name for a table,

a name for an application that has obtained rights,

a name for a user application that has obtained rights, and

a list of rights obtained.

19. The method according to claim 11, wherein said at least one data table includes a plurality of columns pertaining to said at least one data table.

20. A method for managing a plurality of applications in a memory of a chip card, each of said plurality of applications being capable of a) including at least one user application, b) including at least one data table, c) granting at least one of a plurality of rights, to at least one of a remainder of said plurality of applications, for carrying out at least one of a plurality of commands on said at least one data table and d) granting at least one of said plurality of rights, to said at least one user application, for carrying out at least one of said plurality of commands on said at least one data table,

said at least one user application not being capable of including further user applications, said at least one user application not being capable of including any data tables, said at least one user application not being capable of granting any of said plurality of rights, to any of i) said plurality of applications and ii) user applications thereof, said method comprising:

providing a chart of applications in the memory of the chip card which associates a password and a memory space with a name for i) each of said plurality of applications and ii) said at least one user application thereof;

providing a chart of data tables in the memory of the chip card, said chart of data tables including a plurality of records, each of said plurality of records associating said name for each of said plurality of applications with a name for said at least one data table thereof;

providing a chart of rights in the memory of the chip card, said chart of rights associating for each of said plurality of applications, said name for said at least one data table thereof with i) said name for each of said plurality of applications, and user applications thereof, that are capable of using said at least one data table thereof and ii) a set of rights granted to said plurality of applications, and user applications thereof, which are capable of using said at least one data table thereof; and

giving permission for management of data elements contained in a table of data as a function of a set of rights granted to a particular one of said plurality of applications, and user applications thereof, that will be in progress when said table of data will be used.
 Description Submit all comments and votes
 


BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention has been made in collaboration with the Universite des Sciences et Techniques, and the CERIM and LIFL laboratories. Its object is a secured method for the loading of several applications in a memory card provided with a microprocessor, often called a chip card. Chip cards such as these typically have three types of use. In a first use of identification, they constitute keys by which their bearer can gain access to a place or a service. In a monetary use, either they are pre-loaded with units representing a possibility of consumption with a party that issues chip cards (generally in telecommunications) or the information that they contain represents a balance of a bank account. As a last type of use, data storage may be noted: for example in order to manage health matters, each individual is provided with a card in which his medical history may be recorded, or again the card may replace an identity card.

The present card seeks to enable the coexistence, on a same card, of these different uses without its being possible for the use of the card that is made for one application to hamper the use of the card for other applications. To this end, the invention procures a safe method for the loading of the different applications so that they cannot interfere with each other. The invention covers also the facility of structuring attached to an application and the interrogation of the data elements by application. Furthermore, the system can be used to make it possible for the applications to permit certain data to to be "seen" by certain applications in total confidentiality.

2. Discussion of the Related Art

A first mode of managing several applications in one and the same card is known. It shall be described here below and it shall be shown that, despite its performance characteristics, this known loading method comes up against certain limitations. The method of the invention will show these limitations can be overcome.

FIG. 1 exemplifies a sharing of the memory of a chip card that can suit several applications. A memory of a chip card such as this is, in this case, physically divided into two essential parts. A first description part 1 contains descriptors, a second part 2 comprising pure memorizing zones. A descriptor represents an application. It comprises a certain number of bytes in binary language. A first byte 3 is called an identifier byte. It enables the application to be designated. If, at the time of a transaction with the card, a secret code and the identification of the application are presented, immediately the descriptor for which the identifier corresponds to the secret code presented is reached.

A descriptor also comprises a protection element 4 after the identifier. A first byte of this protection element 4 relates to the protection, in reading mode, of the words of the memory, another byte relates to the protection in writing mode, a third and fourth byte relate to the erasure or updating if, furthermore, the technology (EEPROMs) of the card allows it. It could be assumed, for example, that these information elements are encoded on one bit of the protection byte: when it is equal to zero, it prevents action whereas it permits it if it is equal to one. Similarly, in writing mode, it could be assumed that third bit (or another bit) of the second protection byte prohibits the writing if its value is zero or, on the contrary, permits it if its value is one (or possibly the contrary). This is also the case for the erasure or the updating.

As the last essential part, a descriptor finally comprises a number 5 of the memory words used by the concerned application. This number is encoded, for example, on two bytes after the codes of the protection element 4. An application concerned by a descriptor may thus contain a number of memory words equal to any number, for example 18. To know where the words of the memory are located, in the part 2 of this memory, which corresponds to this application, an instruction of the microprocessor of the chip card computes that the first 18-word address permitted is equal to the sum, plus one, of the words allocated to the previous descriptors in the list of the descriptors of the chip card. The last address permitted is equal to this sum plus the number of words indicated in the descriptor, i.e. in this case 18.

If, in one example, an identifier has corresponded with a third descriptor, independently of the question of whether or not it is possible to read or write in the concerned memory words, it will be known that the memory zone allocated to the application corresponds to that of the descriptor 3, that it is placed after those allocated to these descriptors 1 and 2 respectively, and that its length is limited by the number of words allocated to this descriptor 3.

The microprocessors therefore at present, in their set of instructions, comprise instructions organized in sequence and stored definitively in the memory (ROM) of the chip card, at the end of which, firstly, it is possible to identify a chosen application and, secondly, there are known ways of irrevocably limiting access to an allocated set of memory words.

To create novel applications, there is furthermore provision, in this set of instructions, for a creation instruction by which it is possible to add a descriptor to the sequence of descriptors already present (to the extent that the memory space allows it) and to allocate a number of memory words (here too as a function of a memory space available in the card) to this application described by this descriptor. The memory zone allocated to a novel application is completely independent of that allocated to the preceding applications.

While this technique, with the associated set of instructions, is efficient, it has a first limitation which is that it prevents an application from working in the memory zone reserved for another previously recorded application. This is understandable because it is the safety-related aim of the invention. However, in certain cases, it is possible that the owner of an application wishes to obtain access, in a complementary application that he would have programmed himself, to one or more memory zones that he has previously allocated to himself. Here, this is not possible. The structure is not flexible.

To give an approximate idea, it may be assumed in a banking application that a banker, by means of an application recorded and represented by a descriptor 1, has already permitted the bearer of the card to withdraw a certain sum of money per week from his account. He may subsequently wish to allow this same holder to make account-to-account transfers from the bank account represented by his chip card. In the present situation, this second application has to be entered completely independently of the first one. This leads to a duplication of certain memory zones, and to a problem of their management. The balance present in one of the memory zones of an application is, for example, affected by a withdrawal while the balance, which is theoretically the same, in another memory zone corresponding to the transfer, is not correlatively debited by the sum corresponding to the withdrawal.

In this case, the solution for the banker would be to eliminate one of the applications and enter another application, as a replacement, which would include the totality of the instructions of the preceding applications. This causes a loss of space in the card. Since, furthermore, it is known that the sizes of memories in these cards are limited, it will be seen that this technique is not without drawbacks.

Furthermore, the last bytes of the descriptor provide information on the number of words that can be used in the memory, but this is not always a good procedure. Indeed, especially in operations for the storage of pure data, it is possible to choose memory word lengths that are either fixed lengths, for example 30 bytes (it being possible to assign each byte to one character), or a variable length. However in this case it is necessary, after each recorded information element, to show a separating byte (a character), for example corresponding in ASCII to a star or a fraction bar, whether oblique or otherwise. A structuring such as this has the drawback of having to be known with precision by the programmers who use the cards which, in certain cases, leads to cumbersome features during use. Even for a very simple application, it is necessary to have perfect knowledge of the entire operation of the card or of the microprocessor.

Furthermore the fixed length format, in most cases, may lead to a systematic loss of space owing to an oversizing of the lengths of the words in order to overcome every problems.

The problems of security or of the right of access to the data elements of these cards are related to the location of these data elements in the memory.

There is also another known prior art structure divulged by the document WO-A-8707061. However, this document provides for only one hierarchical structure of the actors. The actors of the same hierarchical level are not supposed to act at different levels. It is even truer that actors foreign to the application cannot be stacked in the hierarchy and be permitted to consult or even modify recordings of a data table. This document proposes no approach to overcome this problem.

SUMMARY OF THE INVENTION

It is an object of the invention to remedy these drawbacks and limitations by proposing a completely different structure and organization of the data elements of the applications in the card, the security of this card dictating no particular locations in the memory for the data elements. In this structure, instead of associating, as an indissociable element, firstly an identifier relating to the application, secondly conditions of protection and, thirdly, allocations of memory zones with which the applications work, it is preferred to organize the relationships among these different concepts hierarchically.

As shall be seen hereinafter, first of all a relationship is created among the applications, the identifiers and preferably secret codes. This relationship is memorized in the card in a chart called a chart of applications. Then a recording is made, in a second chart called a chart of tables, of the relationships that may exist between a given application and a table of data elements with which this application works. This chief characteristic, the creation of a table of data elements, is permitted only for an owner of an application. The table of data elements shall then be said, in the rest of this explanation, to belong to the application. Finally, in a third chart, called a chart of rights, the possibilities of interaction of the different applications and user-applications on the created tables are organized.

A distinction is therefore made here of classes between applications, for example the banking application, and user applications. It is seen that, for the essential difference between the applications and the user applications in the chart of applications, a possibility of memory is allocated to the applications (to create data tables corresponding to this application) while the user applications receive no memory possibility for this purpose. The user applications must, in order to function, use a part of the memory lent to them by an application.

As an essential advantage, the system of the invention enables the progressive modification of the data tables, the creation and destruction, by the owner of an application, of his user applications and the delegation, also by this same owner of an application, of rights of access on his data tables to other applications or user applications. The user applications may work on data tables already present in the memory of the card, inasmuch as the owner of the application allows it (chart of rights).

Furthermore, the question of the economizing of memory space is settled by the permitting, in the chart of the data tables, of the systematic possibility of having recordings of variable length.

An object of the invention, therefore, is a method for the loading and management of several applications capable of implying user applications in a chip card,

an application having available

the right to constitute user applications,

the right to set up data tables, and

the right to grant rights to applications or user applications on its own data tables,

a user application having none of these rights available, where

for the loading of applications or user applications

a recording is made in the memory of the chip card of a table of applications and, of user applications, if any, which associate a password and a memory space with each application or user application

a recording in the memory of a chart of data tables, the data tables of this chart associating, for each application, a table name with the name of the application and with the data elements pertaining to this application,

a recording is made in the memory of the chart of the rights granted to applications or to user applications on these data tables, this chart of rights associating, with each name of the data table, names of applications or user applications and rights granted to these applications or user applications

and where for the management of the applications or user applications,

permission is given for the management of the data elements contained in a table of data elements being used as a function of the rights granted to an application or to a user application in progress.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be understood more clearly from the following description and from the figures that accompany it. These figures are given purely by way of an indication and in no way restrict the scope of the invention.

Of these figures:

FIG. 1 is a depiction, already commented on, of an organization of the memory of a chip card in the prior art;

FIG. 2 is the schematic drawing of a chip card according to the invention and its use as a transaction tool;

FIGS. 3 to 5 show precise depictions respectively of the charts of applications, charts of rosters and charts of rights;

FIG. 6 shows particular features of organization of the data elements in the chart of tables;

FIG. 7 shows the effect of the organization of the chart of tables on the arranging of the data elements in a data memory of the chip card;

FIGS. 8, 9 and 10 show flow charts of the creation respectively of each of the charts according to the invention,

FIGS. 11 and 12 show flow charts of possible action on the data table.

DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 2 shows a schematic organization of a chip card according to the invention. This chip card 10 has, on a support, an electronic circuit provided with means of exchange with the external world that are not shown but are of a known type (contact metallizations). This electronic circuit had a microprocessor 11 and a data memory 12 (in one example, this data memory 12 is of the EEPROMS type, i.e. it is programmable and erasable). The chip of the chip card also has a program memory 13 (ROM) that contains the instruction of the microprocessor proper to the invention. According to what has been indicated here above, in the memory of the chip, in addition to the data memory 12, the presence of the following is recognized: a chart of applications 14, a chart of tables 15 and a chart of rights 16. Also noted is the presence, which shall be explained further below, of a chart 17 of enciphering keys. Since the chart 17 is a particular chart, it can also be defined on a complementary basis in the chart of the tables 15. This enables an enciphered transmission of the data elements read in the memory 12. The microprocessor 11 is connected to the different memories 12 to 17 by a data and address bus 110. A typical architecture of a microprocessor is described in Daniel Quayssac, Comprendre les Microprocesseurs, Editions Radio, France 1983.

During the use of a chip card 10 such as this, the card is introduced into a reader 18 which itself comprises a microprocessor (not shown) capable of performing, with the card 10, a program 19 by means of a keyboard 20, a display monitor 21 and a machine

For example, as shown on the monitor 21 for a banking application, an operator acting on the keyboard 20 may cause a withdrawal, and hence prompt the execution of a part of the program 19 by which the machine 22, for its part, will dispense banknotes 23 to him. At the same time, the reader will make a recording in the chip card (or in a centralized management system which is not shown) of the debiting of the corresponding account.

A schematic indication is given, on the screen of the monitor 21, of the presence of several possible applications: a BANK application, a GARAGE application, a SOCSEC (social security) application. Other applications could have been shown, for example TELECOM for telecommunications, etc. The value of the invention arises out of the fact that different operators, different issuing parties, also called owners of applications, who have no contractual relationships with one another, may use one and the same carrier and may do so without any risk that the actions performed by one of the owners of applications or users will influence the data elements recorded in the data tables belonging to another owner of an application (the risks pertaining thereto in the banking sector can easily be grasped).

Furthermore, for the banking application, several possible uses are shown on the screen of the monitor 21: these include, for example, the uses WITHDRAWAL, TRANSFER, DISPLAY. It is therefore possible to make a clear hierarchical distinction between, firstly, the applications and, secondly, user applications. As shall be seen further below, these applications and these user applications are all recorded in the table of the applications. However, the difference that separates them lies in the fact that the applications can create and exploit (reading/writing, updating, erasure) data tables while the user applications can only exploit them. This exploitation is controlled in two ways. Firstly, a memory allocation permits the insertion recordings, or lines, into a data table if this allocation is not zero. Secondly, the chart of rights can enable this user application to insert (INSERT), delete (DELETE), modify (MODIF) or only select (SELECT) a recording in a data table on which these rights have been received.

Since the memory of the card is shared among several applications, during the creation of the applications and user applications, a maximum size of usable memory is defined for each application or user application. By its principle, this information on size is memorized in a counter present in the chart of the applications. When data elements are added to a line of a data table by an application or a user application, the contents of the counter are reduced by the number of characters inserted. Should data elements be destroyed in a line of the table, the content is increased by the number of characters eliminated. Instead of characters, it is also possible to specify a number of lines of information in the memory allocation: the size of the line being possibly free (within the limits of the space available).

In the following description, each of the charts of the invention shall be presented, with a specifying of, firstly, their structure and, secondly, the commands to which they respond, namely the instructions that the microprocessor is entrusted with carrying out (to the exclusion of all other instructions) to create and modify them.

FIG. 3 shows the chart 14 of the applications. This chart comprises essentially four columns. A first column is the NAME OF APPLICATION column. A second column is the PASSWORD column of the application. A third column is the USABLE MEMORY SIZE column. Preferably, although it is not obligatory, the password column is itself divided into two parts, a first part comprising the secret code itself and a second part, located before and after the first one, containing a maximum number of tests that are likely to be made for the presenting of the secret code to enable entry into the application. Similarly, for the data tables, preferably, the chart of the applications will have columns with variable length.

For example, the name of the application and the password of the application are limited in length. The number of tests for presenting the secret code, and the usable memory space will be memorized, in fixed length, by a value contained respectively in one or two bytes. The way in which it is possible to provide for variable sizes shall be seen further below.

As a reminder of what was presented here above, six recordings 141 to 146 were presented in this chart: the first three represent applications properly speaking, with a usable memory size that is different from zero, the last three represent user applications and they too have a non-zero usable memory size. These user applications cannot subsequently create data tables. To distinguish them from the applications, they comprise, in a fourth column, an indication (herein U) mentioning their type: user application. The applications proper comprise a corresponding indication A. Naturally, other symbols can be used. What counts is their being differentiated.

To simplify matters, a password has been attributed to each application, for the BANK application, the password is FORTUNE; for the GARAGE application, the password is AUTO, for the social security application, the password is HEALTH. For the three uses, WITHDRAWAL, TRANFER, DISPLAY respectively, the passwords are USE1, USE2, and USE3.

FIG. 8 shows the operation for the creation of the chart of applications. This creation is normally done by the manufacturer of the chip card or by an issuing entity who has obtained the password of a SYSTEM application from the manufacturer. To simplify the description, it will be assumed that it is the chip card manufacturer who has performed this operation. Following the habitual practice, this operation shall be called the customization of the card. This operation consists in introducing, into the card, the BANK, SOCSEC and GARAGE applications. Whoever carries out the customization assigns secret codes, preferably by a random method, to the applications. These applications could, during the first use of the card, change this code (CHANGE CODE) and assign themselves a code that is known to themselves alone.

Before the cards are delivered in a bare state, before they are customized with the different applications, it may be considered all the same that, owing, firstly, to the existence of the instructions of the microprocessor and, secondly, to the organization in the form of charts, they comprise a system application with which it will be possible to program the card.

The system application comprises a PRESENT instruction which must be followed, in its syntax, by the name of the concerned application. To facilitate the internal management of the system, the chart of the applications contains, at least at the start, a particular application called SYSTEM. The system contains the microprocessor, the memory and the program carrying out the functions of the invention. This program is contained in a ROM. In the rest of this description, reference shall be made to instructions of the microprocessor to qualify the functions of the system. The object of the instruction PRESENT is to seek to compare a secret code already recorded in the card with a secret code proposed by the operator with a keyboard like the keyboard 20.

In practice, the operator introduces the card into the reader 18 and sends the preceding instructions PRESENT, SYSTEM with the keyboard 20. Then the secret code SECRET is entered by the keyboard, and the operator validates this entry. A verification is then undertaken to ascertain that the secret code SECRET entered by means of the keyboard is the same as the secret code SECRET previously recorded in the card. The secret code previously recorded in the card is the basic secret code of the chip: it is normally stored in a special part of the memory. This part is not accessible from the exterior of the card. Only the system of the card has access thereto. Should the verification fail, a rejection program is arrived at.

The rejection program may may comprise the permission to present the secret code again, as many times in all as is permitted for the application. For example, in the case of the system application, only one presentation is permitted. To carry out this function, the instruction PRESENT of the microprocessor contains the following actions in the order given:

1) the loading of the number of presentations in an internal register of the microprocessor;

2) the incrementetlon of a counter of attempts at each attempt;

3) the comparison of the counter and of the loaded number;

4) the conditional routing to a definitive rejection or another attempt. The counter of attempts forms part of the chip card.

The rejection program therefore comprises a counter of attempts that can be parametrized by the permitted number of presentations of the password which, when it is full, prompts the rejection proper of the attempt. In practice, this rejection of the attempt may lead the external system (reader 18) to keep the card 10 definitively imprisoned and, in a manner known per se, to orient it towards a receptacle from which its bearer will be not be able to remove it.

If the verification has been done successfully, at this stage of manufacture, hence when the card is with the chip card manufaoturer, only one command can be carried out: the CREATE command. This command CREATE can be used to record all the applications and the user applications desired. With this operation, the manufacturer can insert applications into the applications chart 14 which is also the user applications chart. To this end, it is enough to send the card the command CREATE, followed by the name of the application, the secret code assigned to this application, the memory space that can be used by this application and the permitted number of unsuccesful attempts to present this secret code for this application. To distinguish the user applications from the applications, to this command there is added a parameter A for the applications and U for the user applications. Or again, preferably, the card has a pair of commands available, CREATE APPLICATION and CREATE APPLICATION USER which have the same parameters as the preceding CREATE but automatically place the indications A or U respectively. Thus, the recordings 141 to 146 are entered. When all the applications of the uses have been created in the chart 14, it is possible to send an instruction CLOSE with the keyboard

This instruction CLOSE enables the switch-over, for example definitively, of the possibility of inserting applications with the command CREATE APPLICATION. Indeed, if the manufacturer does not know all the applications at the time of the customization, it possible later, provided that the command CLOSE has not been launched, to insert other applications by redoing a PRESENT SYSTEM command followed by the right secret code. The command CLOSE closes this function by invalidating the SYSTEM application. In fact, the SYSTEM application is then quite simply removed from the chart of the applications. It can then no longer be recognized by the card. By contrast, the applications may retain the right to create user applications with the command CREATE-APPLICATION USER.

At the physical level, this invalidation is obtained by the blowing of a fuse or by the irreversible switching of a memory cell of an EEPROMS type memory from one logic state to another. The operation CLOSE may be followed by an operation REBOOT to reboot the card: the electrical supply of the chip should be cut off and then restored. In this case, the chart 14 of the applications is definitively frozen. If the instruction CLOSE is not sent, the card is not locked.

FIG. 3 shows the association of the enciphering keys with the applications. This means that the chart 14 of the applications may comprise, as a fifth column, a column representing enciphering