The invention relates to a data protection microprocessor circuit as defined in claim 1.
The use of such micro-processor circuits is preferred in so-called chip cards, i.e. identity cards, credit cards, booking cards and the like, which are equipped with an integrated circuit.
In order to facilitate the understanding of the invention, the following description is intended to refer to the application of the microprocessor circuit to cards.
A card with a microprocessor was first described in DE-OS 27 38 113. One of the main advantages of such a card is its versatility for the cardholder. The microprocessor and associated storage devices contained in the card's integrated circuit allow extensive data processing in the card itself, whereas cards such as those equipped with magnetic strips require all data processing operations to be performed externally.
The card manufacturer may equip the microprocessor with a fixed-memory operating system that performs basic functions, such as procedures for comparing an externally entered code with a stored code, etc. The memory of the microprocessor is used not only to store the operating system but also to store certain applications and parameters, e.g. those necessary for security verification and which must in any case be kept secret.
The multi-faceted application of cards is achieved by starting from an operating system with associated programs, defining certain interfaces and reserving a memory or storage area for a so-called third-party program. The card manufacturer then provides the users, i.e. the card issuing organizations, with a memory or storage area for the programming of their third-party program. In this third-party program, the organization can then specify specific operations that are independent of the operating system and that only concern the specific organization.
Another possible variant is that not only one organization would program its foreign program into the prefabricated chip card, but several different organizations would store their corresponding programs.
In any case, it must be ensured that security-related data which are part of the operating system or even of individual third party programmes are protected from unauthorised access.
The purpose of the invention is to specify a circuit which, by means of simple measures, ensures that access by a third party program can be obtained only to those areas of memory which are expressly authorized for access.
The problem is solved according to the invention by the features given in claims 1 and 12.
According to a first embodiment of the invention, the data protection circuit consists of a first device to monitor the address being accessed, a second device to monitor the microprocessor program counter and another device that combines the signals of the monitoring devices to generate a blocking signal.
The control of the program counter status enables the protection circuit to determine at any time which of the loaded programs is currently running, and at the same time to monitor the address called by the respective active program, the linking circuit can easily respond to unauthorized memory access, for example by sending a reset signal to the microprocessor.
The protection circuit is decoupled from the actual microprocessor, but preferably provided on the integrated circuit containing the microprocessor. By specifying appropriate settings for the respective program counter level and addresses, any storage areas that are allowed or not allowed for a particular user can be defined. If certain storage areas are selectively blocked from reading or writing, the write/read signal of the microprocessor in the protection circuit must be processed accordingly.
Another embodiment of the invention provides that the protective circuit is formed by a microprocessor called a backup processor which monitors the microprocessor called a work processor running the third party programs. This means that the work processor is under constant control of the backup processor, which releases the work processor after each reset and subsequent initialization phase. If the backup processor detects that the work processor running a particular third party program is accessing an unauthorized memory area, the backup processor gives a blocking signal to an unmasked interrupt or reset input of the work processor.
Since the backup processor is intended to monitor all individual steps of the work processor, it will conveniently operate at a higher clock rate than the work processor.
If several foreign programs are stored in the memory allocated to the work processor, access to the operating system and other foreign programs must be prevented. The necessary settings are conveniently stored as limit values in a memory allocated to the backup processor. To this end, a limit value memory is allocated to the backup processor in which the limits for the monitored addresses and for the possible contents of the program counter of the memory are stored. These areas are not accessible to the work processor.
The blockage of the execution of a third-party program in case of unauthorized memory access can also be achieved by allowing only a certain set of interpretable commands. The commands of the third-party program are then executed under the control of the operating system, ensuring that access is only to those areas to which access is expressly permitted. The microprocessor's program counter never comes under the control of the third-party program.
In addition to the above mentioned possibilities, the invention provides in a further variant that several freely programmable memory areas are provided with address spaces which are equal to at least one maximum value. The highest value of each area assigned to a memory area is loaded into an auxiliary register before the address of the storage area. A locking signal is generated at each change in the data content of the auxiliary register. A specific user is defined by the microprocessor with each loading of the auxiliary register. If this user accesses an unauthorized storage area, this results in a corresponding change in the auxiliary register, which generates a protective circuit that locks the contents of the auxiliary register.
Further advantages and developments of the invention are shown by the subclaims and the examples of implementation described below, illustrated by the following figures:Figure 1a data carrier with integrated circuit,Figure 2a block diagram of a data carrier integrated circuit with microprocessor, memory and locking circuit,Figure 3a block diagram of a data carrier integrated circuit with a working processor and a backup processor and associated storage andFigure 4a block diagram of a data carrier integrated circuit with microprocessor, memory and locking circuit.
Fig. 1 shows the structure of a data carrier, e.g. a credit card 1 with a clear data field 2, a signature strip 3, and an integrated circuit 5 with connectors embedded in the card body 6. The connectors are here formed as connectors 6 in the form of two rows. The structure of such cards is basically known and is not to be explained here. The manner of use and data processing in connection with such credit cards is also known. The connecting contacts 6 are exchanged with, for example, a terminal, an ATM or the like. In the estimates of the credit cards, for example, security screens are integrated, which are necessary to allow the card to be used.
Fig. 2 shows an initial embodiment of an integrated circuit as built into the credit card. A microprocessor 10 contains a control unit 11 connected to a memory order 30 via a control line 18, an arithmetic logic unit (ALU) 12, a register 13, an address register 14 and a data register 15. A register of the register 13 serves as a program counter, the contents of which determine which address of a memory order 30 is accessed to retrieve a command from the foreign program stored there.
The address is entered into the register 30 via an address bus 17 and the data entered into or read from register 30 is entered into the register 15 via a data bus 16 and from there into a register of register 13.
The storage arrangement 30 in the example illustrated includes a read/write memory (RAM) 31, a hard disk drive (ROM) 32 and E2PROM 33. These storage areas 31, 32 and 33 belong to the operating system (OS), which contains some security-relevant data which must in any case be kept secret.
If the manufacturer wishes to make available to the user an area of the operating system which must not contain any safety-related data, the protection circuit 20 described below should be adapted accordingly in relation to the remaining addresses of the operating system to be protected.
The memory area 34 is designed as an E2PROM. The external program, which is loaded by the user, takes up the memory spaces w to x, while the operating system takes up the memory spaces 0 to w-1.
The third party program contains special routines and data to determine, for example, whether the service requested by the cardholder, e.g. a cash out, is accepted, depending, for example, on the cardholder's current account balance. After the cardholder has inserted the card into an ATM, a data exchange takes place between the ATM and the microprocessor.
To prevent the access of the third party program to addresses in memory ranges 31, 32 and 33, a protective circuit 20 is provided in accordance with the invention, which is available in addition to the microprocessor 10 and the memory arrangement 30.
The protective circuit 20 contains a first comparator 21, a first auxiliary register (HRI) 22, a second comparator 23, a second auxiliary register (HRII) 24, a D&D gate 25 and an output line 26 leading from D&D gate 25 to control circuit 11 of the microprocessor 10.
Comparator 21 compares the contents of the address register 14 and the auxiliary register 22, while Comparator 23 compares the contents of the programme counter with the contents of the auxiliary register 24.
Err1:Expecting ',' delimiter: line 1 column 141 (char 140)
While the comparator 21 gives a signal if the address in the address register 14 is smaller than the address w stored in the address register 22 (this means that the foreign program is accessing an unauthorized storage space between 0 and w - 1), the comparator 23 gives a signal if the contents of the PC program counter of register 13 are greater than or equal to the value w stored in the address register 24, the latter meaning that the foreign program is currently being executed.
If both comparators 21 and 23 give a signal, this means that the foreign program is running and that an unauthorized address outside the foreign program's address space is being accessed.
To selectively block read or write, the microprocessor read/write signal is processed in the protective circuit 20 (see line 27).
In a variation of the embodiment shown in Figure 2, additional comparators with associated auxiliary registers may be provided if additional storage areas are available for additional third-party programs to be loaded by different users.
Figure 3 shows a second embodiment of the invention: a working processor 110 with its associated memory arrangement (PROM) 130 performs essentially the same function as the microprocessor 10 with its associated memory arrangement 30 in Figure 2.
The protective circuit is a second processor, namely a backup processor 120 with its own storage arrangement 150.
A C1 operating clock signal determines the working speed of the fuse processor 120; a sub-circuit 140 divides the clock signal frequency by n, so that the working processor 110 which receives the output signal of the sub-circuit 140 operates only at 1/nth the speed of the fuse processor 120.
The backup processor 120 contains a controller 121 that sends a reset signal to the working processor 110 when an unauthorized access to memory is detected by a third party program. To this end, the address bus 117 and the control line 118 between the working processor 110 and the storage device 130 are monitored. In addition, the working processor's program counter (PC) is monitored. Both the data on the address bus 117 and the contents of the PC program counter are compared for each third party program with certain thresholds.
The memory band 130 for the work processor 110 contains several memory bands for different users, here referred to as user I, user II... As mentioned above, these third party programs are loaded separately by one of the different organizations from the card manufacturer.
When a particular foreign program, e.g. the program stored in memory compartment 134 of user I, is executed by the working processor 110 after initialization, the backup processor 120 compares the respective address signals and program counter contents with the corresponding limits for that user. These limits are stored in memory arrangement 150 as part of the operating system of the backup processor 120. For example, when the foreign program of user I is executed, the contents of the PC counter must cover only a certain range of values. Furthermore, the addresses on the address bus 117 must only correspond to this range of values.
Figure 4 shows a third embodiment of the invention, whereby the operating system memory 231 associated with the microprocessor 210 is arranged separately from the memory areas 234, 235 and 236.The latter are used to host third party programs for three different users.
For example, the address space for accessing the three (PROM) ranges 234, 235, 236 contains 16 bits, with the two highest value bits determining which memory or memory range is intended for the current access.
Err1:Expecting ',' delimiter: line 1 column 414 (char 413)
At the beginning of the execution of the subprogram, i.e. the first address, the two highest values of the address register are loaded from the address bus into a second auxiliary register (HRII) 223 and a comparator 221 activates the contents of the two auxiliary registers 222 and 223 by means of a corresponding control signal 228 from the microprocessor. As long as the content of the auxiliary program 222 is in agreement with the auxiliary register 223, this means that the subprogram moves only in the address space (storage area 234) assigned to it. If another address space is accessed, the two highest values of the address register and thus the contents of the auxiliary register 223 are changed. This is determined by the comparator 221 through the microprocessor 226 and gives a reference to the microprocessor 226.